├── .gitattributes ├── README.md ├── config ├── general.php ├── help.php ├── info.php ├── securing.php ├── sinks.php ├── sources.php └── tokens.php ├── css ├── ayti.css ├── barf.css ├── code-dark.css ├── espresso.css ├── notepad++.css ├── phps.css ├── print.css ├── rips.css ├── rips.png ├── scanning.gif ├── term.css └── twilight.css ├── index.php ├── js ├── exploit.js ├── hotpatch.js ├── netron.js └── script.js ├── lib ├── analyzer.php ├── constructer.php ├── filer.php ├── printer.php ├── scanner.php ├── searcher.php └── tokenizer.php ├── main.php └── windows ├── code.php ├── exploit.php ├── function.php ├── help.php ├── hotpatch.php └── leakscan.php /.gitattributes: -------------------------------------------------------------------------------- 1 | # Auto detect text files and perform LF normalization 2 | * text=auto 3 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ## Rips0.55汉化版 2 | 3 | ### 0x01简介 4 | 5 | RIPS是一款PHP开发的开源的PHP[代码审计工具](http://bbs.ichunqiu.com/portal.php),由国外的安全研究者Johannes Dahse开发,目前开源的最新版本是0.55。程序小巧玲珑,仅有不到500kb,其中的PHP语法分析非常精准,可以实现跨文件变量和函数追踪,误报率较低。并有拥有简单易懂的用户界面,因此被许多安全研究人员钟爱,因此RIPS可谓是PHP代码审计之利器。 6 | 7 | RIPS项目的官网为http://rips-scanner.sourceforge.net/和 https://www.ripstech.com/ 8 | 9 | 目前RIPS的免费开源版本已停止了程序更新,但官方目前给出了下个版本的说明 10 | 11 | ![ak1Ymq.png](https://s1.ax1x.com/2020/07/28/ak1Ymq.png) 12 | 13 | 14 | ### 0x02汉化预览 15 | 16 | 汉化前的官方原版如图 17 | 18 | ![ak1t00.png](https://s1.ax1x.com/2020/07/28/ak1t00.png) 19 | 20 | 个人汉化后的如图所示 21 | 22 | ![ak1N7V.png](https://s1.ax1x.com/2020/07/28/ak1N7V.png) 23 | 因为是自己三年前汉化的,个人水平有限,如有错误,欢迎大家斧正 24 | 25 | 期待大家的issue~ 26 | 27 | 28 | ### 3.使用说明 29 | 30 | 下载RIPS后将其解压放入PHPstduy的目录下即可使用(无需进行任何数据库配置) 31 | 32 | **记住路径一定不要存在中文!!!** 33 | 34 | 35 | 36 | ### 4.Paper 37 | 38 | 其他更多的使用注意事项,在此不过多赘述 39 | 40 | 各位看官有兴趣的话,欢迎浏览https://bbs.ichunqiu.com/forum.php?mod=viewthread&tid=42115&highlight=rips 41 | -------------------------------------------------------------------------------- /config/general.php: -------------------------------------------------------------------------------- 1 | . 15 | 16 | **/ 17 | 18 | #error_reporting(E_ALL); 19 | error_reporting(E_ERROR | E_PARSE); 20 | // various settings making flush() work correctly 21 | if(function_exists('apache_setenv')) 22 | apache_setenv('no-gzip', 1); 23 | ini_set('zlib.output_compression', 0); 24 | ini_set('implicit_flush', 0); 25 | ini_set('output_buffering', 0); 26 | 27 | ini_set('short_open_tag', 1); // who knows if I use them ;) 28 | ini_set('auto_detect_line_endings', 1); // detect newlines in MAC files 29 | ini_set("memory_limit","1000M"); // set memory size to 1G 30 | set_time_limit(0); // 5 minutes 31 | 32 | if (extension_loaded('tokenizer') === false) 33 | { 34 | echo 'Please enable the PHP tokenizer extension to run RIPS.'; 35 | exit; 36 | } 37 | 38 | define('VERSION','0.55'); // RIPS version to be displayed 39 | define('MAXTRACE', 30); // maximum of parameter traces per sensitive sink 40 | define('WARNFILES', 50); // warn user if amount of files to scan is higher than this value, also limits the graphs so they dont get too confusing and prevents browser hanging 41 | define('BASEDIR', ''); // default directory shown 42 | define('PHPDOC', 'http://php.net/'); // PHP documentation link 43 | define('MAX_ARRAY_ELEMENTS', 50); // maximum array(1,2,3,4,...) elements to be indexed 44 | define('MAX_ARRAY_KEYS', 10); // maximum array key $array[1][2][3][4].. 45 | define('PRELOAD_SHOW_LINE', 500); // every X line a preloader information is added 46 | 47 | define('SCAN_REGISTER_GLOBALS', false); // EXPERIMENTAL: scan as if register_globals=on 48 | 49 | $FILETYPES = array( // filetypes to scan 50 | '.php', 51 | '.inc', 52 | '.phps', 53 | '.php4', 54 | '.php5', 55 | //'.html', 56 | //'.htm', 57 | //'.txt', 58 | '.phtml', 59 | '.tpl', 60 | '.cgi', 61 | '.test', 62 | '.module', 63 | '.plugin' 64 | ); 65 | 66 | // available stylesheets (filename without .css ending) 67 | // more colors at http://wiki.macromates.com/Themes/UserSubmittedThemes 68 | $stylesheets = array( 69 | 'print', 70 | 'phps', 71 | 'code-dark', 72 | 'twilight', 73 | 'espresso', 74 | 'term', 75 | 'barf', 76 | 'notepad++', 77 | 'ayti' 78 | ); 79 | 80 | // track chosen stylesheet permanently 81 | if(isset($_POST['stylesheet']) && $_POST['stylesheet'] !== $_COOKIE['stylesheet']) 82 | $_COOKIE['stylesheet'] = $_POST['stylesheet']; 83 | $default_stylesheet = isset($_COOKIE['stylesheet']) ? $_COOKIE['stylesheet'] : 'ayti'; 84 | setcookie("stylesheet", $default_stylesheet); 85 | 86 | $default_vector = 'all'; 87 | 88 | ?> -------------------------------------------------------------------------------- /config/help.php: -------------------------------------------------------------------------------- 1 | . 15 | 16 | **/ 17 | header("Content-type: text/html; charset=utf-8"); 18 | $HELP_XSS = array( 19 | 'description' => '攻击者可能在这个安全漏洞的客户端浏览器中执行任意的HTML / JavaScript代码。污染数据是用户的浏览器的用户应用程序嵌入到HTML输出,从而允许攻击者将恶意代码执行。准备一个恶意链接将导致另一个用户的浏览器中点击链接时,该恶意代码的执行。这可能导致钓鱼或Cookie偷窃和会话劫持。', 20 | 'link' => 'https://www.owasp.org/index.php/XSS', 21 | 'code' => '', 22 | 'poc' => '/index.php?name=', 23 | 'patchtext' => '在将数据嵌入到输出之前,使用PHP BuudIn函数对所有用户污染数据进行编码。确保设置参数EntType以避免EvEnthDunl注入到现有HTML属性,并指定正确的字符集。', 24 | 'patch' => '' 25 | ); 26 | 27 | $HELP_HTTP_HEADER = array( 28 | 'description' => '攻击者可以向HTTP响应头注入任意标头。当添加“设置cookie”标题时,当在会话固定攻击中注入标头或帮助时,这可能会被滥用。此外,可以覆盖HTTP响应,并可以注入JavaScript,导致XSS攻击。在4.4.2或5.1.2的PHP版本中,字符\\r(LF CR)可以用于头行终止(跨浏览器)。在PHP低于5.4的情况下,字符R(CR)仍然可以用于头行终止(Chrome,IE)。', 29 | 'link' => 'https://www.owasp.org/index.php/HTTP_Response_Splitting', 30 | 'code' => '', 31 | 'poc' => '/index.php?url=a%0a%0dContent-Type:%20text/html%0a%0d%0a%0d', 32 | 'patchtext' => '更新PHP以防止报头注入或实现白名单。', 33 | 'patch' => '' 34 | ); 35 | 36 | $HELP_SESSION_FIXATION = array( 37 | 'description' => '攻击者可以强制用户使用特定的会话ID。一旦用户登录,攻击者可以使用先前固定的会话ID访问帐户。', 38 | 'link' => 'https://www.owasp.org/index.php/Session_fixation', 39 | 'code' => '', 40 | 'poc' => '/index.php?sessid=1f3870be274f6c49b3e31a0c6728957f', 41 | 'patchtext' => '不要使用用户提供的会话令牌。', 42 | 'patch' => 'No code.' 43 | ); 44 | 45 | $HELP_CODE = array( 46 | 'description' => '攻击者可能使用此漏洞执行任意PHP代码。用户污染的数据被嵌入到一个函数中,该函数在运行时编译PHP代码并执行它,从而允许攻击者注入自己要执行的PHP代码。此漏洞可能导致服务器完全被入侵。', 47 | 'link' => 'https://www.owasp.org/index.php/Code_Injection', 48 | 'code' => '', 49 | 'poc' => '/index.php?color=\';phpinfo();//', 50 | 'patchtext' => '用正则表达式(例如仅字母数字)或数组为你的代码构建一个白名单。不要试图仅仅给PHP的evil函数设置黑名单.', 51 | 'patch' => '' 52 | ); 53 | 54 | $HELP_REFLECTION = array( 55 | 'description' => '攻击者可能使用此漏洞执行任意函数。用户污秽数据用作函数名。这可能导致应用程序的执行特殊行为。', 56 | 'link' => 'https://www.owasp.org/index.php/Reflection_injection', 57 | 'code' => '', 58 | 'poc' => '/index.php?func=phpinfo', 59 | 'patchtext' => '给可信的函数设置白名单', 60 | 'patch' => '' 61 | ); 62 | 63 | $HELP_FILE_INCLUDE = array( 64 | 'description' => '攻击者可能包括本地或远程PHP文件或读取带有此漏洞的非PHP文件。使用黑客的恶意数据。将对该文件中的PHP代码进行执行,将非PHP代码嵌入到输出中。此漏洞可能导致服务器完全倒戈。', 65 | 'link' => 'http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/', 66 | 'code' => '', 67 | 'poc' => '/index.php?file=../../../../../../../etc/passwd', 68 | 'patchtext' => '为文件名建立一个白名单。不要仅将文件名限制为特定路径或扩展名。', 69 | 'patch' => '' 70 | ); 71 | 72 | $HELP_FILE_READ = array( 73 | 'description' => '攻击者可能会读取带有此漏洞的本地文件。当创建将被打开和读取的文件名时,使用用户的恶意数据,从而允许攻击者读取可能导致新攻击向量的Web服务器上的源代码和其他任意文件。例如,攻击者可以检测源代码文件中的新漏洞或读取用户凭据。', 74 | 'link' => '', 75 | 'code' => '', 76 | 'poc' => '/index.php?file=../../../../../../../etc/passwd', 77 | 'patchtext' => '为文件名建立一个白名单。不要仅将文件名限制为特定路径或扩展名。', 78 | 'patch' => '' 79 | ); 80 | 81 | $HELP_FILE_AFFECT = array( 82 | 'description' => '攻击者可能会写入任意文件或将任意代码注入到具有此漏洞的文件中。当创建将被打开的文件名或创建将写入文件的字符串时使用用户注入的恶意数据。攻击者可以尝试在PHP文件中编写任意PHP代码,从而完全危及服务器。', 83 | 'link' => '', 84 | 'code' => '', 85 | 'poc' => '/index.php?file=shell.php&data=', 86 | 'patchtext' => '为正文件名建立一个白名单。不要仅将文件名限制为特定路径或扩展名。如果写入PHP文件,请确保攻击者不能编写自己的PHP代码。使用带有数组或正则表达式的白名单(例如仅字母数字)。', 87 | 'patch' => '' 88 | ); 89 | 90 | $HELP_EXEC = array( 91 | 'description' => '攻击者可能使用此漏洞执行任意系统命令。当创建将在底层操作系统上执行的命令时,使用用户恶意数据。此漏洞可能导致服务器完全倒戈。', 92 | 'link' => '', 93 | 'code' => '', 94 | 'poc' => '/index.php?mode=1;sleep 10;', 95 | 'patchtext' => 'Limit the code to a very strict character subset or build a whitelist of allowed commands. Do not try to filter for evil commands. Try to avoid the usage of system command executing functions if possible.', 96 | 'patch' => '' 97 | ); 98 | 99 | $HELP_DATABASE = array( 100 | 'description' => '攻击者可能使用此漏洞在数据库服务器上执行任意SQL命令。在创建数据库管理系统(DBMS)的数据库查询时,使用用户提交的恶意数据。攻击者可以注入自己的SQL语法,从而启动查询、插入或删除数据库条目或根据查询、DBMS和配置攻击底层操作系统。', 101 | 'link' => 'https://www.owasp.org/index.php/SQL_Injection', 102 | 'code' => '', 103 | 'poc' => '/index.php?id=1 OR 1=1--', 104 | 'patchtext' => '在将语句其嵌入到查询之前,总是将预期字符串嵌入到引用中,然后用PHP BuudIn函数来跳过字符串。总是在没有引用的情况下嵌入要使用的整数,并在将数据嵌入到查询之前,将数据类型化为整数。逃避数据,但不引用它嵌入是不安全的。', 105 | 'patch' => '' 106 | ); 107 | 108 | $HELP_XPATH = array( 109 | 'description' => '攻击者可能使用此漏洞执行任意XPath表达式。当创建在XML资源上执行的XPath表达式时,使用用户的恶意数据。攻击者可以注入自己的XPath语法来读取任意XML条目。', 110 | 'link' => 'http://packetstormsecurity.org/files/view/33380/Blind_XPath_Injection_20040518.pdf', 111 | 'code' => 'xpath_eval("//user[name/text()=\'" . $_GET["name"] . "\']/account/text()"); ?>', 112 | 'poc' => '/index.php?name=\' or \'\'=\'', 113 | 'patchtext' => '在嵌入到表达式中之前,总是将预期字符串嵌入到引用中,然后用PHP BuudIn函数来跳过字符串。总是在没有引用的情况下嵌入期望的整数,并在将数据嵌入到表达式之前将数据类型化为整数。逃避数据,但不引用它嵌入是不安全的。', 114 | 'patch' => 'xpath_eval("//user[name/text()=\'" . addslashes($_GET["name"]) . "\']/account/text()"); ?>' 115 | ); 116 | 117 | $HELP_LDAP = array( 118 | 'description' => '攻击者可能使用此漏洞执行任意LDAP表达式。当在LDAP服务器上执行LDAP筛选器时,使用用户污染的数据。攻击者可以注入自己的LDAP语法来读取任意LDAP条目。', 119 | 'link' => 'http://www.blackhat.com/presentations/bh-europe-08/Alonso-Parada/Whitepaper/bh-eu-08-alonso-parada-WP.pdf', 120 | 'code' => '', 121 | 'poc' => '/index.php?person=*', 122 | 'patchtext' => '预期字符串不会嵌入到LDAP中的引号中。将输入字符集限制为字母数字(如果可能的话),以防止过滤器语法的注入。', 123 | 'patch' => '' 124 | ); 125 | 126 | $HELP_CONNECT = array( 127 | 'description' => '攻击者可能会更改正在使用此漏洞传输的连接处理参数或数据。当选择参数或创建将被传输的数据时,使用受污染的数据,从而允许攻击者改变参数。取决于连接的类型,这可能会导致进一步的攻击。', 128 | 'link' => '', 129 | 'code' => 'Can not be generalized.', 130 | 'poc' => 'Can not be generalized.', 131 | 'patchtext' => 'Can not be generalized.', 132 | 'patch' => 'Can not be generalized.' 133 | ); 134 | 135 | $HELP_POP = array( 136 | 'description' => '当UnServices被unSerialIZE()函数解析时,攻击者可能会通过提供将在当前应用范围中使用的序列化对象来滥用此功能。这些对象只能是该应用程序类的实例。当这些对象在非序列化过程中复活时,会自动调用这些类中的一些类,例如“γ-WAKEUP())或“γ-销毁”(),而这些攻击对象指定的对象变量可能会导致这些小工具中的漏洞。', 137 | 'link' => 'https://media.blackhat.com/bh-us-10/presentations/Esser/BlackHat-USA-2010-Esser-Utilizing-Code-Reuse-Or-Return-Oriented-Programming-In-PHP-Application-Exploits-slides.pdf', 138 | 'code' => 'file, $this->data); 145 | } 146 | } 147 | $a = unserialize($_GET["s"]); 148 | ?>', 149 | 'poc' => '/index.php?s=O:3:"foo":2:{s:4:"file";s:9:"shell.php";s:4:"data";s:29:"";}', 150 | 'patchtext' => '防止使用非序列化,因为它包含更多的缺陷。', 151 | 'patch' => 'No code.' 152 | ); 153 | ?> -------------------------------------------------------------------------------- /config/info.php: -------------------------------------------------------------------------------- 1 | . 15 | 16 | **/ 17 | 18 | final class Info 19 | { 20 | // interesting functions, output and comment them if seen 21 | public static $F_INTEREST = array( 22 | 'phpinfo' => '检测到存在phpinfo文件', 23 | 'registerPHPFunctions' => 'registerPHPFunctions()允许在XML代码执行', 24 | 'session_start' => '使用 sessions', 25 | #'session_destroy' => 'session_destroy(), delete arbitrary file in PHP 5.1.2', 26 | 'dbase_open' => '使用 DBMS dBase', 27 | 'dbplus_open' => '使用 DBMS DB++', 28 | 'dbplus_ropen' => '使用 DBMS DB++', 29 | 'fbsql_connect' => '使用 DBMS FrontBase' , 30 | 'ifx_connect' => '使用 DBMS Informix', 31 | 'db2_connect' => '使用 DBMS IBM DB2', 32 | 'db2_pconnect' => '使用 DBMS IBM DB2', 33 | 'ftp_connect' => '使用 FTP server', 34 | 'ftp_ssl_connect' => '使用 FTP server', 35 | 'ingres_connect' => '使用 DBMS Ingres', 36 | 'ingres_pconnect' => '使用 DBMS Ingres', 37 | 'ldap_connect' => '使用 LDAP server', 38 | 'msession_connect' => '使用 msession server', 39 | 'msql_connect' => '使用 DBMS mSQL', 40 | 'msql_pconnect' => '使用 DBMS mSQL', 41 | 'mssql_connect' => '使用 DBMS MS SQL', 42 | 'mssql_pconnect' => '使用 DBMS MS SQL', 43 | 'mysql_connect' => '使用 DBMS MySQL', 44 | #'mysql_escape_string' => 'insecure mysql_escape_string', 45 | 'mysql_pconnect' => '使用 DBMS MySQL', 46 | 'mysqli' => '使用 DBMS MySQL, MySQLi Extension', 47 | 'mysqli_connect' => '使用 DBMS MySQL, MySQLi Extension', 48 | 'mysqli_real_connect' => '使用 DBMS MySQL, MySQLi Extension', 49 | 'oci_connect' => '使用 DBMS Oracle OCI8', 50 | 'oci_new_connect' => '使用 DBMS Oracle OCI8', 51 | 'oci_pconnect' => '使用 DBMS Oracle OCI8', 52 | 'ocilogon' => '使用 DBMS Oracle OCI8', 53 | 'ocinlogon' => '使用 DBMS Oracle OCI8', 54 | 'ociplogon' => '使用 DBMS Oracle OCI8', 55 | 'ora_connect' => '使用 DBMS Oracle', 56 | 'ora_pconnect' => '使用 DBMS Oracle', 57 | 'ovrimos_connect' => '使用 DBMS Ovrimos SQL', 58 | 'pg_connect' => '使用 DBMS PostgreSQL', 59 | 'pg_pconnect' => '使用 DBMS PostgreSQL', 60 | 'sqlite_open' => '使用 DBMS SQLite', 61 | 'sqlite_popen' => '使用 DBMS SQLite', 62 | 'SQLite3' => '使用 DBMS SQLite3', 63 | 'sybase_connect' => '使用 DBMS Sybase', 64 | 'sybase_pconnect' => '使用 DBMS Sybase', 65 | 'TokyoTyrant' => '使用 DBMS TokyoTyrant', 66 | 'xptr_new_context' => '使用 XML document', 67 | 'xpath_new_context' => '使用 XML document' 68 | ); 69 | 70 | // interesting functions for POP/Unserialze 71 | public static $F_INTEREST_POP = array( 72 | '__autoload' => 'function __autoload', 73 | '__destruct' => 'POP gagdet __destruct', 74 | '__wakeup' => 'POP gagdet __wakeup', 75 | '__toString' => 'POP gagdet __toString', 76 | '__call' => 'POP gagdet __call', 77 | '__callStatic' => 'POP gagdet __callStatic', 78 | '__get' => 'POP gagdet __get', 79 | '__set' => 'POP gagdet __set', 80 | '__isset' => 'POP gagdet __isset', 81 | '__unset' => 'POP gagdet __unset' 82 | ); 83 | 84 | } 85 | 86 | ?> -------------------------------------------------------------------------------- /config/securing.php: -------------------------------------------------------------------------------- 1 | . 15 | 16 | **/ 17 | 18 | // securing functions in if-clause 19 | // list not used, all if clause dependencies detected anyway 20 | $F_SECURING_BOOL = array( 21 | 'is_bool', 22 | 'is_double', 23 | 'is_float', 24 | 'is_real', 25 | 'is_long', 26 | 'is_int', 27 | 'is_integer', 28 | 'is_null', 29 | 'is_numeric', 30 | 'is_finite', 31 | 'is_infinite', 32 | 'ctype_alnum', 33 | 'ctype_alpha', 34 | 'ctype_cntrl', 35 | 'ctype_digit', 36 | 'ctype_xdigit', 37 | 'ctype_upper', 38 | 'ctype_lower', 39 | 'ctype_space', 40 | 'in_array', 41 | 'preg_match', 42 | 'preg_match_all', 43 | 'fnmatch', 44 | 'ereg', 45 | 'eregi' 46 | ); 47 | 48 | // securing functions for every vulnerability 49 | $F_SECURING_STRING = array( 50 | 'intval', 51 | 'floatval', 52 | 'doubleval', 53 | 'filter_input', 54 | 'urlencode', 55 | 'rawurlencode', 56 | 'round', 57 | 'floor', 58 | 'strlen', 59 | 'strrpos', 60 | 'strpos', 61 | 'strftime', 62 | 'strtotime', 63 | 'md5', 64 | 'md5_file', 65 | 'sha1', 66 | 'sha1_file', 67 | 'crypt', 68 | 'crc32', 69 | 'hash', 70 | 'mhash', 71 | 'hash_hmac', 72 | 'password_hash', 73 | 'mcrypt_encrypt', 74 | 'mcrypt_generic', 75 | 'base64_encode', 76 | 'ord', 77 | 'sizeof', 78 | 'count', 79 | 'bin2hex', 80 | 'levenshtein', 81 | 'abs', 82 | 'bindec', 83 | 'decbin', 84 | 'dechex', 85 | 'decoct', 86 | 'hexdec', 87 | 'rand', 88 | 'max', 89 | 'min', 90 | 'metaphone', 91 | 'tempnam', 92 | 'soundex', 93 | 'money_format', 94 | 'number_format', 95 | 'date_format', 96 | 'filetype', 97 | 'nl_langinfo', 98 | 'bzcompress', 99 | 'convert_uuencode', 100 | 'gzdeflate', 101 | 'gzencode', 102 | 'gzcompress', 103 | 'http_build_query', 104 | 'lzf_compress', 105 | 'zlib_encode', 106 | 'imap_binary', 107 | 'iconv_mime_encode', 108 | 'bson_encode', 109 | 'sqlite_udf_encode_binary', 110 | 'session_name', 111 | 'readlink', 112 | 'getservbyport', 113 | 'getprotobynumber', 114 | 'gethostname', 115 | 'gethostbynamel', 116 | 'gethostbyname', 117 | ); 118 | 119 | // functions that insecures the string again 120 | $F_INSECURING_STRING = array( 121 | 'base64_decode', 122 | 'htmlspecialchars_decode', 123 | 'html_entity_decode', 124 | 'bzdecompress', 125 | 'chr', 126 | 'convert_uudecode', 127 | 'gzdecode', 128 | 'gzinflate', 129 | 'gzuncompress', 130 | 'lzf_decompress', 131 | 'rawurldecode', 132 | 'urldecode', 133 | 'zlib_decode', 134 | 'imap_base64', 135 | 'imap_utf7_decode', 136 | 'imap_mime_header_decode', 137 | 'iconv_mime_decode', 138 | 'iconv_mime_decode_headers', 139 | 'hex2bin', 140 | 'quoted_printable_decode', 141 | 'imap_qprint', 142 | 'mb_decode_mimeheader', 143 | 'bson_decode', 144 | 'sqlite_udf_decode_binary', 145 | 'utf8_decode', 146 | 'recode_string', 147 | 'recode' 148 | ); 149 | 150 | // securing functions for XSS 151 | $F_SECURING_XSS = array( 152 | 'htmlentities', 153 | 'htmlspecialchars', 154 | 'highlight_string', 155 | ); 156 | 157 | // securing functions for SQLi 158 | $F_SECURING_SQL = array( 159 | 'addslashes', 160 | 'dbx_escape_string', 161 | 'db2_escape_string', 162 | 'ingres_escape_string', 163 | 'maxdb_escape_string', 164 | 'maxdb_real_escape_string', 165 | 'mysql_escape_string', 166 | 'mysql_real_escape_string', 167 | 'mysqli_escape_string', 168 | 'mysqli_real_escape_string', 169 | 'pg_escape_string', 170 | 'pg_escape_bytea', 171 | 'sqlite_escape_string', 172 | 'sqlite_udf_encode_binary', 173 | 'cubrid_real_escape_string', 174 | ); 175 | 176 | // securing functions for RCE with e-modifier in preg_** 177 | $F_SECURING_PREG = array( 178 | 'preg_quote' 179 | ); 180 | 181 | // securing functions for file handling 182 | $F_SECURING_FILE = array( 183 | 'basename', 184 | 'dirname', 185 | 'pathinfo' 186 | ); 187 | 188 | // securing functions for OS command execution 189 | $F_SECURING_SYSTEM = array( 190 | 'escapeshellarg', 191 | 'escapeshellcmd' 192 | ); 193 | 194 | // securing XPath injection 195 | $F_SECURING_XPATH = array( 196 | 'addslashes' 197 | ); 198 | 199 | // securing LDAP injection 200 | $F_SECURING_LDAP = array( 201 | ); 202 | 203 | // all specific securings 204 | $F_SECURES_ALL = array_merge( 205 | $F_SECURING_XSS, 206 | $F_SECURING_SQL, 207 | $F_SECURING_PREG, 208 | $F_SECURING_FILE, 209 | $F_SECURING_SYSTEM, 210 | $F_SECURING_XPATH 211 | ); 212 | 213 | // securing functions that work only when embedded in quotes 214 | $F_QUOTE_ANALYSIS = $F_SECURING_SQL; 215 | 216 | ?> -------------------------------------------------------------------------------- /config/sinks.php: -------------------------------------------------------------------------------- 1 | . 15 | 16 | **/ 17 | 18 | 19 | // cross-site scripting affected functions 20 | // parameter = 0 means, all parameters will be traced 21 | $NAME_XSS = 'XSS'; 22 | $F_XSS = array( 23 | 'echo' => array(array(0), $F_SECURING_XSS), 24 | 'print' => array(array(1), $F_SECURING_XSS), 25 | 'print_r' => array(array(1), $F_SECURING_XSS), 26 | 'exit' => array(array(1), $F_SECURING_XSS), 27 | 'die' => array(array(1), $F_SECURING_XSS), 28 | 'printf' => array(array(0), $F_SECURING_XSS), 29 | 'vprintf' => array(array(0), $F_SECURING_XSS), 30 | 'trigger_error' => array(array(1), $F_SECURING_XSS), 31 | 'user_error' => array(array(1), $F_SECURING_XSS), 32 | 'odbc_result_all' => array(array(2), $F_SECURING_XSS), 33 | 'ovrimos_result_all' => array(array(2), $F_SECURING_XSS), 34 | 'ifx_htmltbl_result' => array(array(2), $F_SECURING_XSS) 35 | ); 36 | 37 | // HTTP header injections 38 | $NAME_HTTP_HEADER = 'HTTP header注入'; 39 | $F_HTTP_HEADER = array( 40 | 'header' => array(array(1), array()) 41 | ); 42 | 43 | // session fixation 44 | $NAME_SESSION_FIXATION = '会话固定'; 45 | $F_SESSION_FIXATION = array( 46 | 'setcookie' => array(array(2), array()), 47 | 'setrawcookie' => array(array(2), array()), 48 | 'session_id' => array(array(1), array()) 49 | ); 50 | 51 | // code evaluating functions => (parameters to scan, securing functions) 52 | // example parameter array(1,3) will trace only first and third parameter 53 | $NAME_CODE = 'PHP代码执行'; 54 | $F_CODE = array( 55 | 'assert' => array(array(1), array()), 56 | 'create_function' => array(array(1,2), array()), 57 | 'eval' => array(array(1), array()), 58 | 'mb_ereg_replace' => array(array(1,2), $F_SECURING_PREG), 59 | 'mb_eregi_replace' => array(array(1,2), $F_SECURING_PREG), 60 | 'preg_filter' => array(array(1,2), $F_SECURING_PREG), 61 | 'preg_replace' => array(array(1,2), $F_SECURING_PREG), 62 | 'preg_replace_callback' => array(array(1), $F_SECURING_PREG), 63 | ); 64 | 65 | // reflection injection 66 | $NAME_REFLECTION = '反射注入'; 67 | $F_REFLECTION = array( 68 | 'event_buffer_new' => array(array(2,3,4), array()), 69 | 'event_set' => array(array(4), array()), 70 | 'iterator_apply' => array(array(2), array()), 71 | 'forward_static_call' => array(array(1), array()), 72 | 'forward_static_call_array' => array(array(1), array()), 73 | 'call_user_func' => array(array(1), array()), 74 | 'call_user_func_array' => array(array(1), array()), 75 | 'array_diff_uassoc' => array(array(3), array()), 76 | 'array_diff_ukey' => array(array(3), array()), 77 | 'array_filter' => array(array(2), array()), 78 | 'array_intersect_uassoc' => array(array(3), array()), 79 | 'array_intersect_ukey' => array(array(3), array()), 80 | 'array_map' => array(array(1), array()), 81 | 'array_reduce' => array(array(2), array()), 82 | 'array_udiff' => array(array(3), array()), 83 | 'array_udiff_assoc' => array(array(3), array()), 84 | 'array_udiff_uassoc' => array(array(3,4), array()), 85 | 'array_uintersect' => array(array(3), array()), 86 | 'array_uintersect_assoc' => array(array(3), array()), 87 | 'array_uintersect_uassoc' => array(array(3,4), array()), 88 | 'array_walk' => array(array(2), array()), 89 | 'array_walk_recursive' => array(array(2), array()), 90 | 'assert_options' => array(array(2), array()), 91 | 'ob_start' => array(array(1), array()), 92 | 'register_shutdown_function' => array(array(1), array()), 93 | 'register_tick_function' => array(array(1), array()), 94 | 'runkit_method_add' => array(array(1,2,3,4), array()), 95 | 'runkit_method_copy' => array(array(1,2,3), array()), 96 | 'runkit_method_redefine' => array(array(1,2,3,4), array()), 97 | 'runkit_method_rename' => array(array(1,2,3), array()), 98 | 'runkit_function_add' => array(array(1,2,3), array()), 99 | 'runkit_function_copy' => array(array(1,2), array()), 100 | 'runkit_function_redefine' => array(array(1,2,3), array()), 101 | 'runkit_function_rename' => array(array(1,2), array()), 102 | 'session_set_save_handler' => array(array(1,2,3,4,5), array()), 103 | 'set_error_handler' => array(array(1), array()), 104 | 'set_exception_handler' => array(array(1), array()), 105 | 'spl_autoload' => array(array(1), array()), 106 | 'spl_autoload_register' => array(array(1), array()), 107 | 'sqlite_create_aggregate' => array(array(2,3,4), array()), 108 | 'sqlite_create_function' => array(array(2,3), array()), 109 | 'stream_wrapper_register' => array(array(2), array()), 110 | 'uasort' => array(array(2), array()), 111 | 'uksort' => array(array(2), array()), 112 | 'usort' => array(array(2), array()), 113 | 'yaml_parse' => array(array(4), array()), 114 | 'yaml_parse_file' => array(array(4), array()), 115 | 'yaml_parse_url' => array(array(4), array()), 116 | 'eio_busy' => array(array(3), array()), 117 | 'eio_chmod' => array(array(4), array()), 118 | 'eio_chown' => array(array(5), array()), 119 | 'eio_close' => array(array(3), array()), 120 | 'eio_custom' => array(array(1,2), array()), 121 | 'eio_dup2' => array(array(4), array()), 122 | 'eio_fallocate' => array(array(6), array()), 123 | 'eio_fchmod' => array(array(4), array()), 124 | 'eio_fchown' => array(array(5), array()), 125 | 'eio_fdatasync' => array(array(3), array()), 126 | 'eio_fstat' => array(array(3), array()), 127 | 'eio_fstatvfs' => array(array(3), array()), 128 | 'preg_replace_callback' => array(array(2), array()), 129 | 'dotnet_load' => array(array(1), array()), 130 | ); 131 | 132 | // file inclusion functions => (parameters to scan, securing functions) 133 | $NAME_FILE_INCLUDE = '文件包含'; 134 | $F_FILE_INCLUDE = array( 135 | 'include' => array(array(1), $F_SECURING_FILE), 136 | 'include_once' => array(array(1), $F_SECURING_FILE), 137 | 'parsekit_compile_file' => array(array(1), $F_SECURING_FILE), 138 | 'php_check_syntax' => array(array(1), $F_SECURING_FILE), 139 | 'require' => array(array(1), $F_SECURING_FILE), 140 | 'require_once' => array(array(1), $F_SECURING_FILE), 141 | 'runkit_import' => array(array(1), $F_SECURING_FILE), 142 | 'set_include_path' => array(array(1), $F_SECURING_FILE), 143 | 'virtual' => array(array(1), $F_SECURING_FILE) 144 | ); 145 | 146 | // file affecting functions => (parameters to scan, securing functions) 147 | // file handler functions like fopen() are added as parameter 148 | // for functions that use them like fread() and fwrite() 149 | $NAME_FILE_READ = '文件读取'; 150 | $F_FILE_READ = array( 151 | 'bzread' => array(array(1), $F_SECURING_FILE), 152 | 'bzflush' => array(array(1), $F_SECURING_FILE), 153 | 'dio_read' => array(array(1), $F_SECURING_FILE), 154 | 'eio_readdir' => array(array(1), $F_SECURING_FILE), 155 | 'fdf_open' => array(array(1), $F_SECURING_FILE), 156 | 'file' => array(array(1), $F_SECURING_FILE), 157 | 'file_get_contents' => array(array(1), $F_SECURING_FILE), 158 | 'finfo_file' => array(array(1,2), array()), 159 | 'fflush' => array(array(1), $F_SECURING_FILE), 160 | 'fgetc' => array(array(1), $F_SECURING_FILE), 161 | 'fgetcsv' => array(array(1), $F_SECURING_FILE), 162 | 'fgets' => array(array(1), $F_SECURING_FILE), 163 | 'fgetss' => array(array(1), $F_SECURING_FILE), 164 | 'fread' => array(array(1), $F_SECURING_FILE), 165 | 'fpassthru' => array(array(1,2), array()), 166 | 'fscanf' => array(array(1), $F_SECURING_FILE), 167 | 'ftok' => array(array(1), $F_SECURING_FILE), 168 | 'get_meta_tags' => array(array(1), $F_SECURING_FILE), 169 | 'glob' => array(array(1), array()), 170 | 'gzfile' => array(array(1), $F_SECURING_FILE), 171 | 'gzgetc' => array(array(1), $F_SECURING_FILE), 172 | 'gzgets' => array(array(1), $F_SECURING_FILE), 173 | 'gzgetss' => array(array(1), $F_SECURING_FILE), 174 | 'gzread' => array(array(1), $F_SECURING_FILE), 175 | 'gzpassthru' => array(array(1), $F_SECURING_FILE), 176 | 'highlight_file' => array(array(1), $F_SECURING_FILE), 177 | 'imagecreatefrompng' => array(array(1), $F_SECURING_FILE), 178 | 'imagecreatefromjpg' => array(array(1), $F_SECURING_FILE), 179 | 'imagecreatefromgif' => array(array(1), $F_SECURING_FILE), 180 | 'imagecreatefromgd2' => array(array(1), $F_SECURING_FILE), 181 | 'imagecreatefromgd2part' => array(array(1), $F_SECURING_FILE), 182 | 'imagecreatefromgd' => array(array(1), $F_SECURING_FILE), 183 | 'opendir' => array(array(1), $F_SECURING_FILE), 184 | 'parse_ini_file' => array(array(1), $F_SECURING_FILE), 185 | 'php_strip_whitespace' => array(array(1), $F_SECURING_FILE), 186 | 'readfile' => array(array(1), $F_SECURING_FILE), 187 | 'readgzfile' => array(array(1), $F_SECURING_FILE), 188 | 'readlink' => array(array(1), $F_SECURING_FILE), 189 | //'stat' => array(array(1), array()), 190 | 'scandir' => array(array(1), $F_SECURING_FILE), 191 | 'show_source' => array(array(1), $F_SECURING_FILE), 192 | 'simplexml_load_file' => array(array(1), $F_SECURING_FILE), 193 | 'stream_get_contents' => array(array(1), $F_SECURING_FILE), 194 | 'stream_get_line' => array(array(1), $F_SECURING_FILE), 195 | 'xdiff_file_bdiff' => array(array(1,2), $F_SECURING_FILE), 196 | 'xdiff_file_bpatch' => array(array(1,2), $F_SECURING_FILE), 197 | 'xdiff_file_diff_binary' => array(array(1,2), $F_SECURING_FILE), 198 | 'xdiff_file_diff' => array(array(1,2), $F_SECURING_FILE), 199 | 'xdiff_file_merge3' => array(array(1,2,3), $F_SECURING_FILE), 200 | 'xdiff_file_patch_binary' => array(array(1,2), $F_SECURING_FILE), 201 | 'xdiff_file_patch' => array(array(1,2), $F_SECURING_FILE), 202 | 'xdiff_file_rabdiff' => array(array(1,2), $F_SECURING_FILE), 203 | 'yaml_parse_file' => array(array(1), $F_SECURING_FILE), 204 | 'zip_open' => array(array(1), $F_SECURING_FILE) 205 | ); 206 | 207 | // file or file system affecting functions 208 | $NAME_FILE_AFFECT = '文件操作'; 209 | $F_FILE_AFFECT = array( 210 | 'bzwrite' => array(array(2), array()), 211 | 'chmod' => array(array(1), $F_SECURING_FILE), 212 | 'chgrp' => array(array(1), $F_SECURING_FILE), 213 | 'chown' => array(array(1), $F_SECURING_FILE), 214 | 'copy' => array(array(1), array()), 215 | 'dio_write' => array(array(1,2), array()), 216 | 'eio_chmod' => array(array(1), $F_SECURING_FILE), 217 | 'eio_chown' => array(array(1), $F_SECURING_FILE), 218 | 'eio_mkdir' => array(array(1), $F_SECURING_FILE), 219 | 'eio_mknod' => array(array(1), $F_SECURING_FILE), 220 | 'eio_rmdir' => array(array(1), $F_SECURING_FILE), 221 | 'eio_write' => array(array(1,2), array()), 222 | 'eio_unlink' => array(array(1), $F_SECURING_FILE), 223 | 'error_log' => array(array(3), $F_SECURING_FILE), 224 | 'event_buffer_write' => array(array(2), array()), 225 | 'file_put_contents' => array(array(1,2), $F_SECURING_FILE), 226 | 'fputcsv' => array(array(1,2), $F_SECURING_FILE), 227 | 'fputs' => array(array(1,2), $F_SECURING_FILE), 228 | 'fprintf' => array(array(0), array()), 229 | 'ftruncate' => array(array(1), $F_SECURING_FILE), 230 | 'fwrite' => array(array(1,2), $F_SECURING_FILE), 231 | 'gzwrite' => array(array(1,2), array()), 232 | 'gzputs' => array(array(1,2), array()), 233 | 'loadXML' => array(array(1), array()), 234 | 'mkdir' => array(array(1), array()), 235 | 'move_uploaded_file' => array(array(1,2), $F_SECURING_FILE), 236 | 'posix_mknod' => array(array(1), $F_SECURING_FILE), 237 | 'recode_file' => array(array(2,3), $F_SECURING_FILE), 238 | 'rename' => array(array(1,2), $F_SECURING_FILE), 239 | 'rmdir' => array(array(1), $F_SECURING_FILE), 240 | 'shmop_write' => array(array(2), array()), 241 | 'touch' => array(array(1), $F_SECURING_FILE), 242 | 'unlink' => array(array(1), $F_SECURING_FILE), 243 | 'vfprintf' => array(array(0), array()), 244 | 'xdiff_file_bdiff' => array(array(3), $F_SECURING_FILE), 245 | 'xdiff_file_bpatch' => array(array(3), $F_SECURING_FILE), 246 | 'xdiff_file_diff_binary' => array(array(3), $F_SECURING_FILE), 247 | 'xdiff_file_diff' => array(array(3), $F_SECURING_FILE), 248 | 'xdiff_file_merge3' => array(array(4), $F_SECURING_FILE), 249 | 'xdiff_file_patch_binary' => array(array(3), $F_SECURING_FILE), 250 | 'xdiff_file_patch' => array(array(3), $F_SECURING_FILE), 251 | 'xdiff_file_rabdiff' => array(array(3), $F_SECURING_FILE), 252 | 'yaml_emit_file' => array(array(1,2), $F_SECURING_FILE), 253 | ); 254 | 255 | // OS Command executing functions => (parameters to scan, securing functions) 256 | $NAME_EXEC = '命令执行'; 257 | $F_EXEC = array( 258 | 'backticks' => array(array(1), $F_SECURING_SYSTEM), # transformed during parsing 259 | 'exec' => array(array(1), $F_SECURING_SYSTEM), 260 | 'expect_popen' => array(array(1), $F_SECURING_SYSTEM), 261 | 'passthru' => array(array(1), $F_SECURING_SYSTEM), 262 | 'pcntl_exec' => array(array(1), $F_SECURING_SYSTEM), 263 | 'popen' => array(array(1), $F_SECURING_SYSTEM), 264 | 'proc_open' => array(array(1), $F_SECURING_SYSTEM), 265 | 'shell_exec' => array(array(1), $F_SECURING_SYSTEM), 266 | 'system' => array(array(1), $F_SECURING_SYSTEM), 267 | 'mail' => array(array(5), array()), // http://esec-pentest.sogeti.com/web/using-mail-remote-code-execution 268 | 'mb_send_mail' => array(array(5), array()), 269 | 'w32api_invoke_function' => array(array(1), array()), 270 | 'w32api_register_function' => array(array(2), array()), 271 | ); 272 | 273 | // SQL executing functions => (parameters to scan, securing functions) 274 | $NAME_DATABASE = 'SQL注入'; 275 | $F_DATABASE = array( 276 | // Abstraction Layers 277 | 'dba_open' => array(array(1), array()), 278 | 'dba_popen' => array(array(1), array()), 279 | 'dba_insert' => array(array(1,2), array()), 280 | 'dba_fetch' => array(array(1), array()), 281 | 'dba_delete' => array(array(1), array()), 282 | 'dbx_query' => array(array(2), $F_SECURING_SQL), 283 | 'odbc_do' => array(array(2), $F_SECURING_SQL), 284 | 'odbc_exec' => array(array(2), $F_SECURING_SQL), 285 | 'odbc_execute' => array(array(2), $F_SECURING_SQL), 286 | // Vendor Specific 287 | 'db2_exec' => array(array(2), $F_SECURING_SQL), 288 | 'db2_execute' => array(array(2), $F_SECURING_SQL), 289 | 'fbsql_db_query' => array(array(2), $F_SECURING_SQL), 290 | 'fbsql_query' => array(array(1), $F_SECURING_SQL), 291 | 'ibase_query' => array(array(2), $F_SECURING_SQL), 292 | 'ibase_execute' => array(array(1), $F_SECURING_SQL), 293 | 'ifx_query' => array(array(1), $F_SECURING_SQL), 294 | 'ifx_do' => array(array(1), $F_SECURING_SQL), 295 | 'ingres_query' => array(array(2), $F_SECURING_SQL), 296 | 'ingres_execute' => array(array(2), $F_SECURING_SQL), 297 | 'ingres_unbuffered_query' => array(array(2), $F_SECURING_SQL), 298 | 'msql_db_query' => array(array(2), $F_SECURING_SQL), 299 | 'msql_query' => array(array(1), $F_SECURING_SQL), 300 | 'msql' => array(array(2), $F_SECURING_SQL), 301 | 'mssql_query' => array(array(1), $F_SECURING_SQL), 302 | 'mssql_execute' => array(array(1), $F_SECURING_SQL), 303 | 'mysql_db_query' => array(array(2), $F_SECURING_SQL), 304 | 'mysql_query' => array(array(1), $F_SECURING_SQL), 305 | 'mysql_unbuffered_query' => array(array(1), $F_SECURING_SQL), 306 | 'mysqli_stmt_execute' => array(array(1), $F_SECURING_SQL), 307 | 'mysqli_query' => array(array(2), $F_SECURING_SQL), 308 | 'mysqli_real_query' => array(array(1), $F_SECURING_SQL), 309 | 'mysqli_master_query' => array(array(2), $F_SECURING_SQL), 310 | 'oci_execute' => array(array(1), array()), 311 | 'ociexecute' => array(array(1), array()), 312 | 'ovrimos_exec' => array(array(2), $F_SECURING_SQL), 313 | 'ovrimos_execute' => array(array(2), $F_SECURING_SQL), 314 | 'ora_do' => array(array(2), array()), 315 | 'ora_exec' => array(array(1), array()), 316 | 'pg_query' => array(array(2), $F_SECURING_SQL), 317 | 'pg_send_query' => array(array(2), $F_SECURING_SQL), 318 | 'pg_send_query_params' => array(array(2), $F_SECURING_SQL), 319 | 'pg_send_prepare' => array(array(3), $F_SECURING_SQL), 320 | 'pg_prepare' => array(array(3), $F_SECURING_SQL), 321 | 'sqlite_open' => array(array(1), $F_SECURING_SQL), 322 | 'sqlite_popen' => array(array(1), $F_SECURING_SQL), 323 | 'sqlite_array_query' => array(array(1,2), $F_SECURING_SQL), 324 | 'arrayQuery' => array(array(1,2), $F_SECURING_SQL), 325 | 'singleQuery' => array(array(1), $F_SECURING_SQL), 326 | 'sqlite_query' => array(array(1,2), $F_SECURING_SQL), 327 | 'sqlite_exec' => array(array(1,2), $F_SECURING_SQL), 328 | 'sqlite_single_query' => array(array(2), $F_SECURING_SQL), 329 | 'sqlite_unbuffered_query' => array(array(1,2), $F_SECURING_SQL), 330 | 'sybase_query' => array(array(1), $F_SECURING_SQL), 331 | 'sybase_unbuffered_query' => array(array(1), $F_SECURING_SQL) 332 | ); 333 | 334 | // xpath injection 335 | $NAME_XPATH = 'XPath注入'; 336 | $F_XPATH = array( 337 | 'xpath_eval' => array(array(2), $F_SECURING_XPATH), 338 | 'xpath_eval_expression' => array(array(2), $F_SECURING_XPATH), 339 | 'xptr_eval' => array(array(2), $F_SECURING_XPATH) 340 | ); 341 | 342 | // ldap injection 343 | $NAME_LDAP = 'LDAP注入'; 344 | $F_LDAP = array( 345 | 'ldap_add' => array(array(2,3), $F_SECURING_LDAP), 346 | 'ldap_delete' => array(array(2), $F_SECURING_LDAP), 347 | 'ldap_list' => array(array(3), $F_SECURING_LDAP), 348 | 'ldap_read' => array(array(3), $F_SECURING_LDAP), 349 | 'ldap_search' => array(array(3), $F_SECURING_LDAP) 350 | ); 351 | 352 | // connection handling functions 353 | $NAME_CONNECT = '协议注入'; 354 | $F_CONNECT = array( 355 | 'curl_setopt' => array(array(2,3), array()), 356 | 'curl_setopt_array' => array(array(2), array()), 357 | 'cyrus_query' => array(array(2), array()), 358 | 'error_log' => array(array(3), array()), 359 | 'fsockopen' => array(array(1), array()), 360 | 'ftp_chmod' => array(array(2,3), array()), 361 | 'ftp_exec' => array(array(2), array()), 362 | 'ftp_delete' => array(array(2), array()), 363 | 'ftp_fget' => array(array(3), array()), 364 | 'ftp_get' => array(array(2,3), array()), 365 | 'ftp_nlist' => array(array(2), array()), 366 | 'ftp_nb_fget' => array(array(3), array()), 367 | 'ftp_nb_get' => array(array(2,3), array()), 368 | 'ftp_nb_put' => array(array(2), array()), 369 | 'ftp_put' => array(array(2,3), array()), 370 | 'get_headers' => array(array(1), array()), 371 | 'imap_open' => array(array(1), array()), 372 | 'imap_mail' => array(array(1), array()), 373 | 'mail' => array(array(1,4), array()), 374 | 'mb_send_mail' => array(array(1,4), array()), 375 | 'ldap_connect' => array(array(1), array()), 376 | 'msession_connect' => array(array(1), array()), 377 | 'pfsockopen' => array(array(1), array()), 378 | 'session_register' => array(array(0), array()), 379 | 'socket_bind' => array(array(2), array()), 380 | 'socket_connect' => array(array(2), array()), 381 | 'socket_send' => array(array(2), array()), 382 | 'socket_write' => array(array(2), array()), 383 | 'stream_socket_client' => array(array(1), array()), 384 | 'stream_socket_server' => array(array(1), array()), 385 | 'printer_open' => array(array(1), array()) 386 | ); 387 | 388 | // other critical functions 389 | $NAME_OTHER = '其他漏洞'; // :X 390 | $F_OTHER = array( 391 | 'dl' => array(array(1), array()), 392 | 'ereg' => array(array(2), array()), # nullbyte injection affected 393 | 'eregi' => array(array(2), array()), # nullbyte injection affected 394 | 'ini_set' => array(array(1,2), array()), 395 | 'ini_restore' => array(array(1), array()), 396 | 'runkit_constant_redefine' => array(array(1,2), array()), 397 | 'runkit_method_rename' => array(array(1,2,3), array()), 398 | 'sleep' => array(array(1), array()), 399 | 'usleep' => array(array(1), array()), 400 | 'extract' => array(array(1), array()), 401 | 'mb_parse_str' => array(array(1), array()), 402 | 'parse_str' => array(array(1), array()), 403 | 'putenv' => array(array(1), array()), 404 | 'set_include_path' => array(array(1), array()), 405 | 'apache_setenv' => array(array(1,2), array()), 406 | 'define' => array(array(1), array()), 407 | 'is_a' => array(array(1), array()) // calls __autoload() 408 | ); 409 | 410 | // property oriented programming with unserialize 411 | $NAME_POP = 'PHP对象注入'; 412 | $F_POP = array( 413 | 'unserialize' => array(array(1), array()), // calls gadgets 414 | 'yaml_parse' => array(array(1), array()) // calls unserialize 415 | ); 416 | 417 | // XML 418 | //simplexml_load_string 419 | 420 | 421 | # interruption vulnerabilities 422 | # trim(), rtrim(), ltrim(), explode(), strchr(), strstr(), substr(), chunk_split(), strtok(), addcslashes(), str_repeat() htmlentities() htmlspecialchars(), unset() 423 | 424 | ?> -------------------------------------------------------------------------------- /config/sources.php: -------------------------------------------------------------------------------- 1 | . 15 | 16 | **/ 17 | 18 | final class Sources 19 | { 20 | // userinput variables 21 | public static $V_USERINPUT = array( 22 | '$_GET', 23 | '$_POST', 24 | '$_COOKIE', 25 | '$_REQUEST', 26 | '$_FILES', 27 | '$_SERVER', 28 | '$HTTP_GET_VARS', 29 | '$HTTP_POST_VARS', 30 | '$HTTP_COOKIE_VARS', 31 | '$HTTP_REQUEST_VARS', 32 | '$HTTP_POST_FILES', 33 | '$HTTP_SERVER_VARS', 34 | '$HTTP_RAW_POST_DATA', 35 | '$argc', 36 | '$argv' 37 | ); 38 | 39 | public static $V_SERVER_PARAMS = array( 40 | 'HTTP_ACCEPT', 41 | 'HTTP_ACCEPT_LANGUAGE', 42 | 'HTTP_ACCEPT_ENCODING', 43 | 'HTTP_ACCEPT_CHARSET', 44 | 'HTTP_CONNECTION', 45 | 'HTTP_HOST', 46 | 'HTTP_KEEP_ALIVE', 47 | 'HTTP_REFERER', 48 | 'HTTP_USER_AGENT', 49 | 'HTTP_X_FORWARDED_FOR', 50 | // all HTTP_ headers can be tainted 51 | 'PHP_AUTH_DIGEST', 52 | 'PHP_AUTH_USER', 53 | 'PHP_AUTH_PW', 54 | 'AUTH_TYPE', 55 | 'QUERY_STRING', 56 | 'REQUEST_METHOD', 57 | 'REQUEST_URI', // partly urlencoded 58 | 'PATH_INFO', 59 | 'ORIG_PATH_INFO', 60 | 'PATH_TRANSLATED', 61 | 'REMOTE_HOSTNAME', 62 | 'PHP_SELF' 63 | ); 64 | 65 | // file content as input 66 | public static $F_FILE_INPUT = array( 67 | 'bzread', 68 | 'dio_read', 69 | 'exif_imagetype', 70 | 'exif_read_data', 71 | 'exif_thumbnail', 72 | 'fgets', 73 | 'fgetss', 74 | 'file', 75 | 'file_get_contents', 76 | 'fread', 77 | 'get_meta_tags', 78 | 'glob', 79 | 'gzread', 80 | 'readdir', 81 | 'read_exif_data', 82 | 'scandir', 83 | 'zip_read' 84 | ); 85 | 86 | // database content as input 87 | public static $F_DATABASE_INPUT = array( 88 | 'mysql_fetch_array', 89 | 'mysql_fetch_assoc', 90 | 'mysql_fetch_field', 91 | 'mysql_fetch_object', 92 | 'mysql_fetch_row', 93 | 'pg_fetch_all', 94 | 'pg_fetch_array', 95 | 'pg_fetch_assoc', 96 | 'pg_fetch_object', 97 | 'pg_fetch_result', 98 | 'pg_fetch_row', 99 | 'sqlite_fetch_all', 100 | 'sqlite_fetch_array', 101 | 'sqlite_fetch_object', 102 | 'sqlite_fetch_single', 103 | 'sqlite_fetch_string' 104 | ); 105 | 106 | // other functions as input 107 | public static $F_OTHER_INPUT = array( 108 | 'get_headers', 109 | 'getallheaders', 110 | 'get_browser', 111 | 'getenv', 112 | 'gethostbyaddr', 113 | 'runkit_superglobals', 114 | 'import_request_variables' 115 | ); 116 | 117 | // 'getenv' and 'apache_getenv' 118 | // will be automatically added if 'putenv' or 'apache_setenv' with userinput is found 119 | } 120 | 121 | ?> -------------------------------------------------------------------------------- /config/tokens.php: -------------------------------------------------------------------------------- 1 | . 15 | 16 | **/ 17 | 18 | final class Tokens 19 | { 20 | // tokens to ignore while scanning 21 | public static $T_IGNORE = array( 22 | T_BAD_CHARACTER, 23 | T_DOC_COMMENT, 24 | T_COMMENT, 25 | //T_ML_COMMENT, 26 | T_INLINE_HTML, 27 | T_WHITESPACE, 28 | T_OPEN_TAG 29 | //T_CLOSE_TAG 30 | ); 31 | 32 | // code blocks that should be ignored as requirement 33 | public static $T_LOOP_CONTROL = array( 34 | //T_DO, // removed, because DO..WHILE is rewritten to WHILE 35 | T_WHILE, 36 | T_FOR, 37 | T_FOREACH 38 | ); 39 | 40 | // control structures 41 | public static $T_FLOW_CONTROL = array( 42 | T_IF, 43 | T_SWITCH, 44 | T_CASE, 45 | T_ELSE, 46 | T_ELSEIF 47 | ); 48 | 49 | // variable assignment tokens 50 | public static $T_ASSIGNMENT = array( 51 | T_AND_EQUAL, 52 | T_CONCAT_EQUAL, 53 | T_DIV_EQUAL, 54 | T_MINUS_EQUAL, 55 | T_MOD_EQUAL, 56 | T_MUL_EQUAL, 57 | T_OR_EQUAL, 58 | T_PLUS_EQUAL, 59 | T_SL_EQUAL, 60 | T_SR_EQUAL, 61 | T_XOR_EQUAL 62 | ); 63 | 64 | // variable assignment tokens that prevent tainting 65 | public static $T_ASSIGNMENT_SECURE = array( 66 | T_DIV_EQUAL, 67 | T_MINUS_EQUAL, 68 | T_MOD_EQUAL, 69 | T_MUL_EQUAL, 70 | T_OR_EQUAL, 71 | T_PLUS_EQUAL, 72 | T_SL_EQUAL, 73 | T_SR_EQUAL, 74 | T_XOR_EQUAL 75 | ); 76 | 77 | // condition operators 78 | public static $T_OPERATOR = array( 79 | T_IS_EQUAL, 80 | T_IS_GREATER_OR_EQUAL, 81 | T_IS_IDENTICAL, 82 | T_IS_NOT_EQUAL, 83 | T_IS_NOT_IDENTICAL, 84 | T_IS_SMALLER_OR_EQUAL 85 | ); 86 | 87 | // all function call tokens 88 | public static $T_FUNCTIONS = array( 89 | T_STRING, // all functions 90 | T_EVAL, 91 | T_INCLUDE, 92 | T_INCLUDE_ONCE, 93 | T_REQUIRE, 94 | T_REQUIRE_ONCE 95 | ); 96 | 97 | // including operation tokens 98 | public static $T_INCLUDES = array( 99 | T_INCLUDE, 100 | T_INCLUDE_ONCE, 101 | T_REQUIRE, 102 | T_REQUIRE_ONCE 103 | ); 104 | 105 | // XSS affected operation tokens 106 | public static $T_XSS = array( 107 | T_PRINT, 108 | T_ECHO, 109 | T_OPEN_TAG_WITH_ECHO, 110 | T_EXIT 111 | ); 112 | 113 | // securing operation tokens 114 | public static $T_CASTS = array( 115 | T_BOOL_CAST, 116 | T_DOUBLE_CAST, 117 | T_INT_CAST, 118 | T_UNSET_CAST, 119 | T_UNSET 120 | ); 121 | 122 | // tokens that will have a space before and after in the output, besides $T_OPERATOR and $T_ASSIGNMENT 123 | public static $T_SPACE_WRAP = array( 124 | T_AS, 125 | T_BOOLEAN_AND, 126 | T_BOOLEAN_OR, 127 | T_LOGICAL_AND, 128 | T_LOGICAL_OR, 129 | T_LOGICAL_XOR, 130 | T_SL, 131 | T_SR, 132 | T_CASE, 133 | T_ELSE, 134 | T_GLOBAL, 135 | T_NEW 136 | ); 137 | 138 | // arithmetical operators to detect automatic typecasts 139 | public static $T_ARITHMETIC = array( 140 | T_INC, 141 | T_DEC 142 | ); 143 | 144 | // arithmetical operators to detect automatic typecasts 145 | public static $S_ARITHMETIC = array( 146 | '+', 147 | '-', 148 | '*', 149 | '/', 150 | '%' 151 | ); 152 | 153 | // strings that will have a space before and after in the output besides $S_ARITHMETIC 154 | public static $S_SPACE_WRAP = array( 155 | '.', 156 | '=', 157 | '>', 158 | '<', 159 | ':', 160 | '?' 161 | ); 162 | } 163 | 164 | // define own token for include ending 165 | define('T_INCLUDE_END', 380); 166 | 167 | ?> -------------------------------------------------------------------------------- /css/ayti.css: -------------------------------------------------------------------------------- 1 | #scrollwindow { 2 | background-color: grey; 3 | opacity:0.22; 4 | } 5 | 6 | .userinput, .persistent { 7 | list-style-type: disc; 8 | color:white; 9 | } 10 | .validated { 11 | list-style-type: disc; 12 | color:red; 13 | } 14 | .functioninput { 15 | list-style-type: disc; 16 | color:yellow; 17 | } 18 | 19 | .vulnblock { 20 | background-color:#223344; 21 | color:#FFCC44; 22 | font-weight:bold; 23 | } 24 | 25 | .codebox { 26 | margin-bottom: 10px; 27 | background-color: #101820; 28 | } 29 | 30 | .windowcontent, .filecanvas, #funccodecontent, #funccodetitle, .funclistcontent { 31 | background-color: #101820; 32 | } 33 | 34 | .markline { 35 | background-color: #334455; 36 | } 37 | 38 | .requires 39 | {color: #D2A8A1; font-weight:bold;} 40 | 41 | .linenr 42 | {color: #888;} 43 | 44 | .link 45 | {color: #6262F0; font-weight:bold;} 46 | 47 | .vulntitle, .code { 48 | font-size:9pt; 49 | font-family: "Bitstream Vera Sans Mono", "Monaco", "Courier New", monospace; 50 | } 51 | 52 | .code, 53 | .phps-code, .phps-t-curly-open, .phps-t-dollar-open-curly-braces, .vulntitle 54 | {color: white; } 55 | 56 | .phps-t-string, 57 | .phps-t-eval, 58 | .phps-t-print, 59 | .phps-t-include, 60 | .phps-t-include-once, 61 | .phps-t-require, 62 | .phps-t-require-once, 63 | .phps-t-isset, 64 | .phps-t-empty, 65 | .phps-t-while, 66 | .phps-t-do, 67 | .phps-t-try, 68 | .phps-t-catch, 69 | .phps-t-exit, 70 | .phps-t-unset, 71 | .phps-t-list, 72 | .phps-t-array, 73 | .phps-t-echo, 74 | .phps-t-start-heredoc, 75 | .phps-t-end-heredoc 76 | {color: #FFFFFF;} 77 | /*E1E1F9*/ 78 | 79 | .phps-t-open-tag, 80 | .phps-t-close-tag, 81 | .phps-t-and-equal, 82 | .phps-t-concat-equal, 83 | .phps-t-div-equal, 84 | .phps-t-minus-equal, 85 | .phps-t-mod-equal, 86 | .phps-t-mul-equal, 87 | .phps-t-or-equal, 88 | .phps-t-plus-equal, 89 | .phps-t-sl-equal, 90 | .phps-t-sr-equal, 91 | .phps-t-xor-equal, 92 | .phps-t-is-equal, 93 | .phps-t-is-greater-or-equal, 94 | .phps-t-is-identical, 95 | .phps-t-is-not-equal, 96 | .phps-t-is-not-identical, 97 | .phps-t-object-operator, 98 | .phps-t-double-colon, 99 | .phps-t-paamayim-nekudotayim, 100 | .phps-t-if, 101 | .phps-t-isset, 102 | .phps-t-exclaim, 103 | .phps-t-for, 104 | .phps-t-foreach, 105 | .phps-t-return, 106 | .phps-t-double-arrow, 107 | .phps-t-as, 108 | .phps-t-or, 109 | .phps-t-case, 110 | .phps-t-default, 111 | .phps-t-break, 112 | .phps-t-continue, 113 | .phps-t-goto, 114 | .phps-t-and, 115 | .phps-t-xor, 116 | .phps-t-boolean-or, 117 | .phps-t-boolean-and, 118 | .phps-t-global, 119 | .phps-t-logical-and, 120 | .phps-t-logical-or, 121 | .phps-t-else, 122 | .phps-t-elseif, 123 | .phps-t-switch, 124 | .phps-t-use, 125 | .phps-t-var, 126 | .phps-t-inc, 127 | .phps-t-dec, 128 | .phps-t-function, 129 | .phps-t-public, 130 | .phps-t-private, 131 | .phps-t-protected, 132 | .phps-t-static, 133 | .phps-t-class, 134 | .phps-t-new, 135 | .phps-t-bool-cast, 136 | .phps-t-double-cast, 137 | .phps-t-int-cast, 138 | .phps-t-unset-cast, 139 | .phps-t-file, 140 | .phps-t-line, 141 | .phps-t-dir, 142 | .phps-t-func-c, .phps-t-class-c, 143 | .phps-t-method-c, 144 | .phps-t-ns-c 145 | {color: #9467FC;} 146 | 147 | .phps-t-const 148 | {color: #CF6A4C;} 149 | 150 | .phps-t-variable, 151 | .phps-t-variable-marked, 152 | .phps-t-string-varname, 153 | .funclistline 154 | {color: #768FEB;} 155 | 156 | .phps-t-variable-marked 157 | {background-color:darkred;} 158 | 159 | .phps-tainted-var 160 | {color: #AAC8FD;} 161 | 162 | .phps-t-lnumber 163 | {color: #CF6A4C} 164 | 165 | .phps-t-encapsed-and-whitespace, 166 | .phps-t-constant-encapsed-string 167 | {color: #FFCE42;} 168 | /* FFCE42 */ 169 | .phps-t-inline-html 170 | {color: #FFCE42;} 171 | 172 | .phps-t-comment, 173 | .phps-t-ml-comment, 174 | .phps-t-doc-comment 175 | {color: #3F4852} 176 | -------------------------------------------------------------------------------- /css/barf.css: -------------------------------------------------------------------------------- 1 | #scrollwindow { 2 | background-color: grey; 3 | opacity:0.22; 4 | } 5 | 6 | .menu { 7 | background-color: #1D261B; 8 | } 9 | 10 | input[type="text"],select { 11 | color: #000 !important; 12 | background: #99A298 !important; 13 | } 14 | 15 | 16 | .userinput, .persistent { 17 | list-style-type: disc; 18 | color:white; 19 | } 20 | .validated { 21 | list-style-type: disc; 22 | color:red; 23 | } 24 | .functioninput { 25 | list-style-type: disc; 26 | color:yellow; 27 | } 28 | 29 | .codebox { 30 | margin-bottom: 10px; 31 | background-color: #0D1219; 32 | } 33 | 34 | .vulnblock { 35 | background-color:#283325; 36 | color:#94F877; 37 | font-weight:bold; 38 | } 39 | 40 | .windowcontent, #funccodecontent, #funccodetitle, .funclistcontent { 41 | background-color: #0D1219; 42 | } 43 | 44 | .markline { 45 | background-color: #243245; 46 | } 47 | 48 | .requires 49 | {color: #697B8F; font-weight:bold;} 50 | 51 | .linenr 52 | {color: #888;} 53 | 54 | .link 55 | {color: #EEF2F7; font-weight:bold;} 56 | 57 | .code, .vulntitle { 58 | font-size:9pt; 59 | font-family: "Bitstream Vera Sans Mono", "Monaco", "Courier New", monospace; 60 | } 61 | 62 | .code, 63 | .phps-code, .phps-t-curly-open, .phps-t-dollar-open-curly-braces, .vulntitle 64 | {color: #EEF2F7; } 65 | 66 | .phps-t-string, 67 | .phps-t-eval, 68 | .phps-t-print, 69 | .phps-t-include, 70 | .phps-t-include-once, 71 | .phps-t-require, 72 | .phps-t-require-once, 73 | .phps-t-isset, 74 | .phps-t-empty, 75 | .phps-t-while, 76 | .phps-t-do, 77 | .phps-t-exit, 78 | .phps-t-try, 79 | .phps-t-catch, 80 | .phps-t-unset, 81 | .phps-t-list, 82 | .phps-t-array, 83 | .phps-t-echo, 84 | .phps-t-start-heredoc, 85 | .phps-t-end-heredoc, 86 | .phps-t-if, 87 | .phps-t-for, 88 | .phps-t-foreach, 89 | .phps-t-else, 90 | .phps-t-elseif, 91 | .phps-t-switch, 92 | .phps-t-bool-cast, 93 | .phps-t-double-cast, 94 | .phps-t-int-cast, 95 | .phps-t-unset-cast, 96 | .phps-t-file, 97 | .phps-t-line, 98 | .phps-t-dir, 99 | .phps-t-func-c, .phps-t-class-c, 100 | .phps-t-method-c, 101 | .phps-t-ns-c 102 | {color: #EFF3F8;} 103 | 104 | .phps-t-open-tag, 105 | .phps-t-close-tag, 106 | .phps-t-and-equal, 107 | .phps-t-concat-equal, 108 | .phps-t-div-equal, 109 | .phps-t-minus-equal, 110 | .phps-t-mod-equal, 111 | .phps-t-mul-equal, 112 | .phps-t-or-equal, 113 | .phps-t-plus-equal, 114 | .phps-t-sl-equal, 115 | .phps-t-sr-equal, 116 | .phps-t-xor-equal, 117 | .phps-t-is-equal, 118 | .phps-t-is-greater-or-equal, 119 | .phps-t-is-identical, 120 | .phps-t-is-not-equal, 121 | .phps-t-is-not-identical, 122 | .phps-t-inc, 123 | .phps-t-dec, 124 | .phps-t-object-operator, 125 | .phps-t-double-colon, 126 | .phps-t-paamayim-nekudotayim, 127 | .phps-t-exclaim, 128 | .phps-t-double-arrow, 129 | .phps-t-as, 130 | .phps-t-or, 131 | .phps-t-case, 132 | .phps-t-default, 133 | .phps-t-break, 134 | .phps-t-continue, 135 | .phps-t-goto, 136 | .phps-t-and, 137 | .phps-t-xor, 138 | .phps-t-global, 139 | .phps-t-logical-and, 140 | .phps-t-logical-or, 141 | .phps-t-boolean-or, 142 | .phps-t-boolean-and, 143 | .phps-t-use, 144 | .phps-t-var 145 | {color: #697A8E;} 146 | 147 | .phps-t-function, 148 | .phps-t-public, 149 | .phps-t-private, 150 | .phps-t-protected, 151 | .phps-t-static, 152 | .phps-t-class, 153 | .phps-t-new, 154 | .phps-t-const, 155 | .phps-t-return 156 | {color: #94F877;} 157 | 158 | .phps-t-variable, .phps-t-string-varname, .funclistline, .phps-t-variable-marked 159 | {color: #708E67;} 160 | 161 | .phps-t-variable-marked 162 | {background-color:darkred;} 163 | 164 | .phps-tainted-var 165 | {color: #7FC16B;} 166 | 167 | .phps-t-lnumber 168 | {color: #EEF2F7} 169 | 170 | .phps-t-encapsed-and-whitespace, 171 | .phps-t-constant-encapsed-string 172 | {color: #5C81B3;} 173 | 174 | .phps-t-inline-html 175 | {color: #F9EE98;} 176 | 177 | .phps-t-comment, 178 | .phps-t-ml-comment, 179 | .phps-t-doc-comment 180 | {color: #6E6E6E;} 181 | -------------------------------------------------------------------------------- /css/code-dark.css: -------------------------------------------------------------------------------- 1 | #scrollwindow { 2 | background-color: grey; 3 | opacity:0.22; 4 | } 5 | 6 | .menu { 7 | background-color:#010101; 8 | } 9 | 10 | 11 | input[type="text"],select { 12 | color: #000 !important; 13 | background-color:#797979 !important; 14 | } 15 | 16 | .userinput, .persistent { 17 | list-style-type: disc; 18 | color:white; 19 | } 20 | .validated { 21 | list-style-type: disc; 22 | color:red; 23 | } 24 | .functioninput { 25 | list-style-type: disc; 26 | color:yellow; 27 | } 28 | 29 | .codebox { 30 | margin-bottom: 10px; 31 | background-color: #222222; 32 | } 33 | 34 | .vulnblock { 35 | background-color:#111111; 36 | color:#FBFB97; 37 | font-weight:bold; 38 | } 39 | 40 | .windowcontent , #funccodecontent, #funccodetitle, .funclistcontent { 41 | background-color: #222222; 42 | } 43 | 44 | 45 | .code, .vulntitle 46 | {font-family: "Bitstream Vera Sans Mono", "Monaco", "Courier New", monospace; font-size:9pt; } 47 | 48 | .markline { 49 | background-color: #531107; 50 | } 51 | 52 | .requires, 53 | .linenr 54 | {color: #888888;} 55 | 56 | .link 57 | {color:#D78787; font-weight:bold; text-decoration:underline;} 58 | 59 | .code, 60 | .phps-code, 61 | .phps-t-dollar-open-curly-braces, 62 | .phps-t-curly-open, 63 | .phps-t-open-tag, 64 | .phps-t-close-tag, 65 | .phps-t-and-equal, 66 | .phps-t-concat-equal, 67 | .phps-t-div-equal, 68 | .phps-t-minus-equal, 69 | .phps-t-mod-equal, 70 | .phps-t-mul-equal, 71 | .phps-t-or-equal, 72 | .phps-t-plus-equal, 73 | .phps-t-sl-equal, 74 | .phps-t-sr-equal, 75 | .phps-t-xor-equal, 76 | .phps-t-is-equal, 77 | .phps-t-is-greater-or-equal, 78 | .phps-t-is-identical, 79 | .phps-t-is-not-equal, 80 | .phps-t-is-not-identical, 81 | .phps-t-inc, 82 | .phps-t-dec, 83 | .phps-t-object-operator, 84 | .phps-t-double-colon, 85 | .phps-t-paamayim-nekudotayim 86 | {color: #D78787;} 87 | 88 | .phps-t-if, 89 | .phps-t-while, 90 | .phps-t-do, 91 | .phps-t-exit, 92 | .phps-t-try, 93 | .phps-t-catch, 94 | .phps-t-isset, 95 | .phps-t-exclaim, 96 | .phps-t-for, 97 | .phps-t-foreach, 98 | .phps-t-return, 99 | .phps-t-double-arrow, 100 | .phps-t-as, 101 | .phps-t-or, 102 | .phps-t-case, 103 | .phps-t-default, 104 | .phps-t-break, 105 | .phps-t-continue, 106 | .phps-t-goto, 107 | .phps-t-and, 108 | .phps-t-boolean-or, 109 | .phps-t-boolean-and, 110 | .phps-t-logical-or, 111 | .phps-t-logical-and, 112 | .phps-t-xor, 113 | .phps-t-global, 114 | .phps-t-and, 115 | .phps-t-isset, 116 | .phps-t-empty, 117 | .phps-t-unset, 118 | .phps-t-else, 119 | .phps-t-elseif, 120 | .phps-t-switch, 121 | .phps-t-array, 122 | .phps-t-bool-cast, 123 | .phps-t-double-cast, 124 | .phps-t-int-cast, 125 | .phps-t-unset-cast, 126 | .phps-t-file, 127 | .phps-t-line, 128 | .phps-t-dir, 129 | .phps-t-func-c, .phps-t-class-c, 130 | .phps-t-method-c, 131 | .phps-t-ns-c 132 | {color: #87AFD7;} 133 | 134 | .phps-t-variable, .phps-t-string-varname, .funclistline, .phps-t-variable-marked 135 | {color: #AFAFD7;} 136 | 137 | .phps-t-variable-marked 138 | {background-color:darkred;} 139 | 140 | .phps-tainted-var 141 | {color: #5959E2;} 142 | 143 | .phps-t-string, 144 | .phps-t-eval, 145 | .phps-t-const 146 | {color: #D7AFD7;} 147 | 148 | .phps-t-lnumber 149 | {color: #D7AF87;} 150 | 151 | .phps-t-encapsed-and-whitespace, 152 | .phps-t-constant-encapsed-string 153 | {color: #FFFFAF;} 154 | 155 | .phps-t-echo, 156 | .phps-t-start-heredoc, 157 | .phps-t-end-heredoc, 158 | .phps-t-function, 159 | .phps-t-public, 160 | .phps-t-private, 161 | .phps-t-protected, 162 | .phps-t-static, 163 | .phps-t-class, 164 | .phps-t-new, 165 | .phps-t-print, 166 | .phps-t-include, 167 | .phps-t-include-once, 168 | .phps-t-require, 169 | .phps-t-require-once, 170 | .phps-t-use 171 | {color: #AFD787;} 172 | 173 | .phps-t-inline-html 174 | {color: #D0D0D0;} 175 | 176 | .phps-t-comment, 177 | .phps-t-ml-comment, 178 | .phps-t-doc-comment 179 | {color: #808080} 180 | -------------------------------------------------------------------------------- /css/espresso.css: -------------------------------------------------------------------------------- 1 | #scrollwindow { 2 | background-color: grey; 3 | opacity:0.22; 4 | } 5 | 6 | .menu { 7 | background-color: #351F12; 8 | } 9 | 10 | 11 | input[type="text"],select { 12 | color: #000 !important; 13 | background: #968B85 !important; 14 | } 15 | 16 | 17 | .userinput, .persistent { 18 | list-style-type: disc; 19 | color:white; 20 | } 21 | .validated { 22 | list-style-type: disc; 23 | color:red; 24 | } 25 | .functioninput { 26 | list-style-type: disc; 27 | color:yellow; 28 | } 29 | 30 | .codebox { 31 | margin-bottom: 10px; 32 | background-color: #2A211C; 33 | } 34 | 35 | .vulnblock { 36 | background-color:#23150D; 37 | color:#049B0A; 38 | font-weight:bold; 39 | } 40 | 41 | .windowcontent , #funccodecontent, #funccodetitle, .funclistcontent { 42 | background-color: #2A211C; 43 | } 44 | 45 | .markline { 46 | background-color: #1E3F06; 47 | } 48 | 49 | .requires 50 | {color: #43A8ED; font-weight:bold;} 51 | 52 | .linenr 53 | {color: #888;} 54 | 55 | .link 56 | {color: #2F5FE0; font-weight:bold;} 57 | 58 | .code, .vulntitle { 59 | font-size:9pt; 60 | font-family: "Bitstream Vera Sans Mono", "Monaco", "Courier New", monospace; 61 | } 62 | 63 | .code, 64 | .phps-code, .phps-t-curly-open, .phps-t-dollar-open-curly-braces, .vulntitle 65 | {color: #BDAE9D; } 66 | 67 | .phps-t-string, 68 | .phps-t-eval, 69 | .phps-t-print, 70 | .phps-t-include, 71 | .phps-t-include-once, 72 | .phps-t-require, 73 | .phps-t-require-once, 74 | .phps-t-isset, 75 | .phps-t-empty, 76 | .phps-t-while, 77 | .phps-t-do, 78 | .phps-t-exit, 79 | .phps-t-try, 80 | .phps-t-catch, 81 | .phps-t-unset, 82 | .phps-t-list, 83 | .phps-t-array, 84 | .phps-t-echo, 85 | .phps-t-start-heredoc, 86 | .phps-t-end-heredoc 87 | {color: #FFCE42;} 88 | 89 | 90 | .phps-t-open-tag, 91 | .phps-t-close-tag, 92 | .phps-t-and-equal, 93 | .phps-t-concat-equal, 94 | .phps-t-div-equal, 95 | .phps-t-minus-equal, 96 | .phps-t-mod-equal, 97 | .phps-t-mul-equal, 98 | .phps-t-or-equal, 99 | .phps-t-plus-equal, 100 | .phps-t-sl-equal, 101 | .phps-t-sr-equal, 102 | .phps-t-xor-equal, 103 | .phps-t-is-equal, 104 | .phps-t-is-greater-or-equal, 105 | .phps-t-is-identical, 106 | .phps-t-is-not-equal, 107 | .phps-t-is-not-identical, 108 | .phps-t-inc, 109 | .phps-t-dec, 110 | .phps-t-object-operator, 111 | .phps-t-double-colon, 112 | .phps-t-paamayim-nekudotayim, 113 | .phps-t-if, 114 | .phps-t-switch, 115 | .phps-t-exclaim, 116 | .phps-t-for, 117 | .phps-t-foreach, 118 | .phps-t-return, 119 | .phps-t-double-arrow, 120 | .phps-t-as, 121 | .phps-t-or, 122 | .phps-t-case, 123 | .phps-t-default, 124 | .phps-t-break, 125 | .phps-t-continue, 126 | .phps-t-goto, 127 | .phps-t-and, 128 | .phps-t-xor, 129 | .phps-t-global, 130 | .phps-t-logical-and, 131 | .phps-t-logical-or, 132 | .phps-t-boolean-or, 133 | .phps-t-boolean-and, 134 | .phps-t-else, 135 | .phps-t-elseif, 136 | .phps-t-use, 137 | .phps-t-var, 138 | .phps-t-function, 139 | .phps-t-public, 140 | .phps-t-private, 141 | .phps-t-protected, 142 | .phps-t-static, 143 | .phps-t-class, 144 | .phps-t-new, 145 | .phps-t-bool-cast, 146 | .phps-t-double-cast, 147 | .phps-t-int-cast, 148 | .phps-t-unset-cast, 149 | .phps-t-file, 150 | .phps-t-line, 151 | .phps-t-dir, 152 | .phps-t-func-c, .phps-t-class-c, 153 | .phps-t-method-c, 154 | .phps-t-ns-c 155 | {color: #43A8ED; font-weight: bold; } 156 | 157 | .phps-t-const 158 | {color: #C5656B;} 159 | 160 | .phps-t-variable, .phps-t-string-varname, .funclistline, .phps-tainted-var 161 | {color: #0066FF;} 162 | 163 | .phps-t-variable-marked 164 | {background-color:darkred;color:#4B91FB;} 165 | 166 | .phps-tainted-var 167 | {color: #4B91FB;} 168 | 169 | .phps-t-lnumber 170 | {color: #C4BDA1;} 171 | 172 | .phps-t-encapsed-and-whitespace, 173 | .phps-t-constant-encapsed-string 174 | {color: #EEEEEE;} 175 | 176 | .phps-t-inline-html 177 | {color: #F9EE98;} 178 | 179 | .phps-t-comment, 180 | .phps-t-ml-comment, 181 | .phps-t-doc-comment 182 | {color: #534A44; font-style: italic;} 183 | -------------------------------------------------------------------------------- /css/notepad++.css: -------------------------------------------------------------------------------- 1 | #scrollwindow { 2 | background-color: grey; 3 | opacity:0.22; 4 | } 5 | 6 | body, html { 7 | color: #111111; 8 | } 9 | 10 | .textcolor { 11 | color: #ffffff; 12 | } 13 | 14 | .darkcolor { 15 | color: black; 16 | } 17 | 18 | .userinput, .persistent { 19 | list-style-type: disc; 20 | color:grey; 21 | } 22 | .validated { 23 | list-style-type: disc; 24 | color:red; 25 | } 26 | .functioninput { 27 | list-style-type: disc; 28 | color:yellow; 29 | } 30 | 31 | .vulnblock { 32 | background-color:#D4D0C8; 33 | color:black; 34 | font-weight:bold; 35 | } 36 | 37 | .codebox { 38 | margin-bottom: 10px; 39 | background-color: #ffffff; 40 | } 41 | 42 | .windowcontent, #funccodecontent, #funccodetitle, .funclistcontent { 43 | background-color: #ffffff; 44 | opacity:0.95; 45 | } 46 | 47 | .markline { 48 | background-color: #EF9486; 49 | } 50 | 51 | .requires 52 | {color: #000000; font-weight:bold;} 53 | 54 | .linenr 55 | {color: #808080;} 56 | 57 | .link 58 | {color: #0000FF; font-weight:bold;} 59 | 60 | 61 | .code, .vulntitle { 62 | font-size:9pt; 63 | font-family: "Bitstream Vera Sans Mono", "Monaco", "Courier New", monospace; 64 | } 65 | 66 | .code, 67 | .phps-code, .phps-t-curly-open, .phps-t-dollar-open-curly-braces, .vulntitle 68 | {color: #8000FF; font-weight: bold;} 69 | 70 | .phps-t-string, 71 | .phps-t-eval 72 | {color: #000000; font-weight: bold;} 73 | 74 | .phps-t-and-equal, 75 | .phps-t-concat-equal, 76 | .phps-t-div-equal, 77 | .phps-t-minus-equal, 78 | .phps-t-mod-equal, 79 | .phps-t-mul-equal, 80 | .phps-t-or-equal, 81 | .phps-t-plus-equal, 82 | .phps-t-sl-equal, 83 | .phps-t-sr-equal, 84 | .phps-t-xor-equal, 85 | .phps-t-is-equal, 86 | .phps-t-is-greater-or-equal, 87 | .phps-t-is-identical, 88 | .phps-t-is-not-equal, 89 | .phps-t-is-not-identical, 90 | .phps-t-inc, 91 | .phps-t-dec, 92 | .phps-t-object-operator, 93 | .phps-t-double-colon, 94 | .phps-t-paamayim-nekudotayim, 95 | .phps-t-double-arrow, 96 | .phps-t-boolean-or, 97 | .phps-t-boolean-and 98 | {color: #8000FF;} 99 | 100 | .phps-t-print, 101 | .phps-t-include, 102 | .phps-t-include-once, 103 | .phps-t-require, 104 | .phps-t-require-once, 105 | .phps-t-isset, 106 | .phps-t-empty, 107 | .phps-t-while, 108 | .phps-t-do, 109 | .phps-t-exit, 110 | .phps-t-try, 111 | .phps-t-catch, 112 | .phps-t-unset, 113 | .phps-t-list, 114 | .phps-t-array, 115 | .phps-t-echo, 116 | .phps-t-if, 117 | .phps-t-switch, 118 | .phps-t-isset, 119 | .phps-t-exclaim, 120 | .phps-t-for, 121 | .phps-t-foreach, 122 | .phps-t-return, 123 | .phps-t-as, 124 | .phps-t-or, 125 | .phps-t-logical-and, 126 | .phps-t-logical-or, 127 | .phps-t-boolean-or, 128 | .phps-t-boolean-and, 129 | .phps-t-case, 130 | .phps-t-default, 131 | .phps-t-break, 132 | .phps-t-continue, 133 | .phps-t-goto, 134 | .phps-t-and, 135 | .phps-t-xor, 136 | .phps-t-global, 137 | .phps-t-else, 138 | .phps-t-elseif, 139 | .phps-t-use, 140 | .phps-t-var, 141 | .phps-t-function, 142 | .phps-t-public, 143 | .phps-t-private, 144 | .phps-t-protected, 145 | .phps-t-static, 146 | .phps-t-class, 147 | .phps-t-new, 148 | .phps-t-bool-cast, 149 | .phps-t-double-cast, 150 | .phps-t-int-cast, 151 | .phps-t-unset-cast, 152 | .phps-t-file, 153 | .phps-t-line, 154 | .phps-t-dir, 155 | .phps-t-func-c, 156 | .phps-t-class-c, 157 | .phps-t-method-c, 158 | .phps-t-ns-c 159 | {color: #0000FF; font-weight:bold;} 160 | 161 | .phps-t-open-tag, 162 | .phps-t-close-tag 163 | {color: #FF0000; font-weight:bold;} 164 | 165 | .phps-t-const 166 | {color: #000000;} 167 | 168 | .phps-t-variable, .phps-t-string-varname, .funclistline, .phps-t-variable-marked 169 | {color: #000080;} 170 | 171 | .phps-t-variable-marked 172 | {background-color:#F5A69A;} 173 | 174 | .phps-tainted-var 175 | {color: #0606Ed;} 176 | 177 | .phps-t-lnumber 178 | {color: #FF8000} 179 | 180 | .phps-t-encapsed-and-whitespace, 181 | .phps-t-constant-encapsed-string, 182 | .phps-t-start-heredoc, 183 | .phps-t-end-heredoc 184 | {color: #4A4A4A;} 185 | 186 | .phps-t-inline-html 187 | {color: #000000; font-weight:bold;} 188 | 189 | .phps-t-comment, 190 | .phps-t-ml-comment, 191 | .phps-t-doc-comment 192 | {color: #63C763; font-weight:normal;} -------------------------------------------------------------------------------- /css/phps.css: -------------------------------------------------------------------------------- 1 | #scrollwindow { 2 | background-color: grey; 3 | opacity:0.22; 4 | } 5 | 6 | body, html { 7 | color: #111111; 8 | } 9 | 10 | .textcolor { 11 | color: #ffffff; 12 | } 13 | 14 | .darkcolor { 15 | color: black; 16 | } 17 | 18 | .userinput, .persistent { 19 | list-style-type: disc; 20 | color:white; 21 | } 22 | .validated { 23 | list-style-type: disc; 24 | color:red; 25 | } 26 | .functioninput { 27 | list-style-type: disc; 28 | color:yellow; 29 | } 30 | 31 | .codebox { 32 | margin-bottom: 10px; 33 | background-color: #C4CDD1; 34 | } 35 | 36 | .vulnblock { 37 | background-color:#ABBBC3; 38 | color:black; 39 | font-weight:bold; 40 | } 41 | 42 | .windowcontent , #funccodecontent, #funccodetitle, .funclistcontent { 43 | background-color: #C4CDD1; 44 | opacity:0.92; 45 | } 46 | 47 | .markline { 48 | background-color: #F98888; 49 | } 50 | 51 | .code, .vulntitle { 52 | font-family: "Bitstream Vera Sans Mono", "Monaco", "Courier New", monospace; 53 | font-size:9pt; 54 | color: #007700; 55 | } 56 | 57 | .requires, 58 | .linenr 59 | {color: black; font-weight:bold;} 60 | 61 | .link 62 | {font-weight:bold; color: #0000BB;} 63 | 64 | .phps-code, 65 | .phps-t-dollar-open-curly-braces, 66 | .phps-t-curly-open, 67 | .phps-t-open-tag, 68 | .phps-t-close-tag, 69 | .phps-t-and-equal, 70 | .phps-t-concat-equal, 71 | .phps-t-div-equal, 72 | .phps-t-minus-equal, 73 | .phps-t-mod-equal, 74 | .phps-t-mul-equal, 75 | .phps-t-or-equal, 76 | .phps-t-plus-equal, 77 | .phps-t-sl-equal, 78 | .phps-t-sr-equal, 79 | .phps-t-xor-equal, 80 | .phps-t-is-equal, 81 | .phps-t-is-greater-or-equal, 82 | .phps-t-is-identical, 83 | .phps-t-is-not-equal, 84 | .phps-t-is-not-identical, 85 | .phps-t-inc, 86 | .phps-t-dec, 87 | .phps-t-object-operator, 88 | .phps-t-double-colon, 89 | .phps-t-paamayim-nekudotayim, 90 | .phps-t-if, 91 | .phps-t-switch, 92 | .phps-t-while, 93 | .phps-t-do, 94 | .phps-t-exit, 95 | .phps-t-try, 96 | .phps-t-catch, 97 | .phps-t-isset, 98 | .phps-t-exclaim, 99 | .phps-t-for, 100 | .phps-t-foreach, 101 | .phps-t-return, 102 | .phps-t-double-arrow, 103 | .phps-t-as, 104 | .phps-t-or, 105 | .phps-t-case, 106 | .phps-t-default, 107 | .phps-t-break, 108 | .phps-t-continue, 109 | .phps-t-goto, 110 | .phps-t-and, 111 | .phps-t-xor, 112 | .phps-t-global, 113 | .phps-t-logical-and, 114 | .phps-t-logical-or, 115 | .phps-t-boolean-or, 116 | .phps-t-boolean-and, 117 | .phps-t-empty, 118 | .phps-t-unset, 119 | .phps-t-else, 120 | .phps-t-elseif, 121 | .phps-t-list, 122 | .phps-t-array, 123 | .phps-t-echo, 124 | .phps-t-start-heredoc, 125 | .phps-t-end-heredoc, 126 | .phps-t-function, 127 | .phps-t-public, 128 | .phps-t-private, 129 | .phps-t-protected, 130 | .phps-t-static, 131 | .phps-t-class, 132 | .phps-t-new, 133 | .phps-t-print, 134 | .phps-t-include, 135 | .phps-t-include-once, 136 | .phps-t-require, 137 | .phps-t-require-once, 138 | .phps-t-use, 139 | .phps-t-var, 140 | .phps-t-bool-cast, 141 | .phps-t-double-cast, 142 | .phps-t-int-cast, 143 | .phps-t-unset-cast, 144 | .phps-t-boolean-or, 145 | .phps-t-boolean-and, 146 | .phps-t-file, 147 | .phps-t-line, 148 | .phps-t-dir, 149 | .phps-t-func-c, 150 | .phps-t-class-c, 151 | .phps-t-method-c, 152 | .phps-t-ns-c 153 | {color: #007700;} 154 | 155 | .phps-t-const, 156 | .phps-t-variable, 157 | .phps-t-string-varname, 158 | .phps-t-string, 159 | .phps-t-eval, 160 | .phps-t-lnumber, 161 | .funclistline, 162 | .phps-t-variable-marked, 163 | .phps-tainted-var 164 | {color: #0000BB;} 165 | 166 | .phps-t-variable-marked 167 | {background-color:#F5A69A;} 168 | 169 | .phps-tainted-var 170 | {font-weight:bold;} 171 | 172 | .phps-t-encapsed-and-whitespace, 173 | .phps-t-constant-encapsed-string 174 | {color: #DD0000;} 175 | 176 | .phps-t-inline-html 177 | {color: #000000;} 178 | 179 | .phps-t-comment, 180 | .phps-t-ml-comment, 181 | .phps-t-doc-comment 182 | {color: #FF8000} 183 | -------------------------------------------------------------------------------- /css/print.css: -------------------------------------------------------------------------------- 1 | html, body, div, span, applet, object, iframe, 2 | h1, h2, h3, h4, h5, h6, p, blockquote, pre, 3 | a, abbr, acronym, address, big, cite, code, 4 | del, dfn, em, img, ins, kbd, q, s, samp, 5 | small, strike, strong, sub, sup, tt, var, 6 | b, u, i, center, 7 | dl, dt, dd, ol, ul, li, 8 | fieldset, form, label, legend, 9 | table, caption, tbody, tfoot, thead, tr, th, td, 10 | article, aside, canvas, details, embed, 11 | figure, figcaption, footer, header, hgroup, 12 | menu, nav, output, ruby, section, summary, 13 | time, mark, audio, video { 14 | background-color: white; 15 | color: black; 16 | } 17 | 18 | #scrollwindow { 19 | background-color: grey; 20 | opacity:0.22; 21 | } 22 | 23 | div.menu { 24 | background-color: white; 25 | border: 0px; 26 | } 27 | 28 | div.stats { 29 | background-color: white; 30 | color: black; 31 | position: relative; 32 | margin-bottom: 15px; 33 | } 34 | div#window1, 35 | div#window2, 36 | div#window3, 37 | div#window4, 38 | div#window5 { 39 | display: none; 40 | } 41 | div.vulnblock { 42 | background-color: white !important; 43 | color: white; 44 | } 45 | div.codebox { 46 | margin-bottom: 1px; 47 | background-color: white; 48 | } 49 | div.vulnblock span { 50 | color: black; 51 | } 52 | div.vulnblock span.phps-t-constant-encapsed-string, 53 | div.vulnblock span.phps-t-encapsed-and-whitespace, 54 | div.vulnblock span.phps-t-comment, 55 | div.vulnblock span.phps-t-ml-comment, 56 | div.vulnblock span.phps-t-doc-comment { 57 | color: #999999; 58 | } 59 | div.buttonbox { 60 | display: none; 61 | } 62 | div.help, 63 | div.fileico, 64 | div.minusico, 65 | div.exploit, 66 | div.dataleak { 67 | display: none; 68 | } 69 | input.button[value=x] { 70 | display: none; 71 | } 72 | -------------------------------------------------------------------------------- /css/rips.css: -------------------------------------------------------------------------------- 1 | body, html { 2 | font-family: helvetica; 3 | background-color: #DFDFDF; 4 | padding: 0; 5 | margin: 0; 6 | color: #DFDFDF; 7 | } 8 | 9 | .menu { 10 | background-color: #223344; 11 | padding: 8px; 12 | padding-bottom: 0px; 13 | border: 1px solid black; 14 | } 15 | 16 | .logo { 17 | margin-top:5px; 18 | background-image: url(rips.png); 19 | background-repeat: no-repeat; 20 | height: 52px; 21 | width: 150px; 22 | text-align: right; 23 | font-size: 12px; 24 | display:table-cell; 25 | vertical-align:bottom; 26 | } 27 | 28 | a#logo { 29 | color:#FFCC44; 30 | text-decoration: none; 31 | } 32 | 33 | .scanning, .stats { 34 | margin-left:35%; 35 | border:3px solid black; 36 | position:absolute; 37 | opacity: .94; 38 | background-color: #223344; 39 | color:white; 40 | } 41 | 42 | .stats { 43 | width:290px; 44 | font-size: 12px; 45 | padding:5px; 46 | } 47 | 48 | .scanning { 49 | height:200px; 50 | width:300px; 51 | margin-top:100px; 52 | display:none; 53 | text-align:center; 54 | font-size: 22px; 55 | font-weight:bold; 56 | background-image: url(scanning.gif); 57 | background-repeat: no-repeat; 58 | background-position: 105px 60px; 59 | } 60 | 61 | .scanned { 62 | position: absolute; 63 | background-color: #FFCC44; 64 | height:5px; 65 | width:75px; 66 | margin-left:113px; 67 | margin-top:70px; 68 | opacity: .50; 69 | } 70 | 71 | .scanfile, .scantimeleft { 72 | font-size: 10px; 73 | font-weight:normal; 74 | text-align:center; 75 | position:absolute; 76 | } 77 | 78 | .scanprogress { 79 | position:absolute; 80 | margin-top:80px; 81 | width:100%; 82 | text-align:center; 83 | font-size: 12px; 84 | color:black; 85 | } 86 | 87 | .scantimeleft { 88 | bottom:5px; 89 | width:100%; 90 | } 91 | 92 | .scanfile { 93 | margin-right:5px; 94 | margin-left:5px; 95 | } 96 | 97 | .diagram { 98 | height:70px; 99 | width:80px; 100 | } 101 | 102 | .warning { 103 | font-size:12px; 104 | } 105 | 106 | .chart { 107 | background-color: #FFCC44; 108 | height:10px; 109 | float:left; 110 | margin-right:5px; 111 | } 112 | 113 | .menushade { 114 | background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAAJCAYAAAGEQXZyAAAACXBIWXMAAAsTAAALEwEAmpwYAAAABGdBTUEAALGOfPtRkwAAACBjSFJNAAB6JQAAgIMAAPn/AACA6QAAdTAAAOpgAAA6mAAAF2+SX8VGAAAAO0lEQVR42mJgYGBYCxBAQMzAAhBAIMIJIIBARA1AAIEIaYAAAhHTAAKIGUgIAQQQiPgHEEAg4jtAgAEARKoEMfjevaIAAAAASUVORK5CYII='); 115 | height: 9px; 116 | } 117 | 118 | .menushade { 119 | margin-top:0px; 120 | margin-bottom: 30px; 121 | width: 100%; 122 | margin-left: auto; 123 | margin-right: auto; 124 | } 125 | 126 | .fileico { 127 | height: 13px; 128 | width: 14px; 129 | background-position: 2px 0px; 130 | background-repeat: no-repeat; 131 | background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAoAAAANCAYAAACQN/8FAAAACXBIWXMAAAsTAAALEwEAmpwYAAAABGdBTUEAALGOfPtRkwAAACBjSFJNAAB6JQAAgIMAAPn/AACA6QAAdTAAAOpgAAA6mAAAF2+SX8VGAAAA00lEQVR42mJkYGD4z4AF/P//nxGZDxBATFBBFAwC8vLy/ydMmAA3BCCAoOpQAUzs8ePH//v7+8FCAAHECBVEsZaRkZHh0aNHDL9+/WK4ceMGw+3btxkAAginiTDMxsYGpgECCG7ilStXGFhYWMAmcnJywjzEoKCgALYBIICwWo0OQAoBAogFmYMjmMA0QADBFYIczczMjKLo379/cDZAAMGt5uXlZWBnZ4ebDBL7/fs3w8ePH8FiAAEEN/HkyZNwz2AzESCAiPYMQAAx4oprdAAQYABoKoXcYicJaAAAAABJRU5ErkJggg=='); 132 | } 133 | 134 | .minusico { 135 | height: 13px; 136 | width: 14px; 137 | background-position: 2px 1px; 138 | background-repeat: no-repeat; 139 | background-image: url('data:image/gif;base64,iVBORw0KGgoAAAANSUhEUgAAAAsAAAALCAYAAACprHcmAAAACXBIWXMAAAsTAAALEwEAmpwYAAAABGdBTUEAALGOfPtRkwAAACBjSFJNAAB6JQAAgIMAAPn/AACA6QAAdTAAAOpgAAA6mAAAF2+SX8VGAAAA0klEQVR42mJMS0v7z0AEYGRkZAAIIBYQMXXqVAZmZmYMBX///gXTILn09HQGgAACK8amEAQ+fPgApgUEBMA0QAAxMZAAAAKI5ffv3zglhYWFUfgAAcTCysrK8OfPH4a8vDywAEgzBwcHw/fv3+HOmzFjBpgGCCCWf//+MbCwsDBMmzYNw+T////DQwIEAAII7OZv376BTQdh9OCCKQQBgAAiyYMAAcTCxMTEwMbGxvDr1y+IANBJuMIbIIDAbs7NzWUA0XDrgAaAPAryPLLbAQIMAKuVPnnja7mZAAAAAElFTkSuQmCC'); 140 | } 141 | 142 | .plusico { 143 | height: 11px; 144 | width: 14px; 145 | background-position: 2px 1px; 146 | background-repeat: no-repeat; 147 | background-image: url('data:image/gif;base64,iVBORw0KGgoAAAANSUhEUgAAAAsAAAALCAYAAACprHcmAAAACXBIWXMAAAsTAAALEwEAmpwYAAAABGdBTUEAALGOfPtRkwAAACBjSFJNAAB6JQAAgIMAAPn/AACA6QAAdTAAAOpgAAA6mAAAF2+SX8VGAAAA3ElEQVR42mJMS0v7z0AEYGRkZAAIIBYQMXXqVAZmZmYMBX///gXTILn09HQGgABiAilGV5iamgqmP3z4AMYwTQABxMRAAgAIIJbfv3/jlBQWFkbhAwQQCysrK8OfP38Y8vLywAIgzRwcHAwpKSlw582YMQNMAwQQy79//xhYWFgYpk2bhuLmOXPmMPz//x8eEiAAEEBgN3/79g1sOgijBxdMIQgABBBJHgQIIBYmJiYGNjY2hl+/fkEEgE6aPXs21vAGCCCwm3NzcxlANNw6oAEgj4I8DwIwtwMEGACwW0hYY16C/gAAAABJRU5ErkJggg=='); 148 | } 149 | 150 | .exploit { 151 | height: 13px; 152 | width: 13px; 153 | background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAA0AAAANCAYAAABy6+R8AAAACXBIWXMAAA9hAAAPYQGoP6dpAAAABGdBTUEAALGOfPtRkwAAACBjSFJNAAB6JQAAgIMAAPn/AACA6QAAdTAAAOpgAAA6mAAAF2+SX8VGAAACfElEQVR42mL8//8/AzJ4kl/8/9PRYwyM7BwMf//8YWBiYWEQjgxhEM/JZoSpAQggFmQN1wzM/v/5/p1BrCCHgdPQkOHXhw8Mr9ZtZLjb2sXw/cXr/wotDWCNAAHEBNNwxdH1P7eVBYP2qSMMjP/+M7zq7Wf4sHY9g0RCPIPmsYMMD1evZrjX3Q92FkAAMYCcB8KXLOxAtvx/mJX7/wwD+/8L+ib/T4jJ/d/PyPb/wZr1/69PnPJ/j6zCf5BagAACa7jiH/L/fmPz/1cr1/w/wcDy/0Fb5/83p8/9f7J9x/9jppb/94lJ/b+7fef/HTKK/x/OX/QGIIDAzvty8xoDi4wMw8uFixlYjYwZOE2MGO5FRDK83rqDQbqrg+HH63cMP56/ZOAyNWR4ffggA0AAgTWxcnMz/AF68cf79wws0jIMn67fYnhz9ybDhzNnGRhExRgYeLgY/nz7ysDIxQ1U84kBIIDAmhhFpRgYmVgY2LQ0Gd6fOMrAoq7GIDdlJoNkVSXDu9VrGf58/sTwj5+P4dudewyCmuoMAAEE1sSuJM/w8dIlBtHMDIafHz4xPO/sYWCXl2P4ce0qw6OWJgYOC1OgInaGr9euMWi1NosABBAjLHIPaOj+11i/muHDsRMMD8rKGf7+/AYMJCYGNnV1BulJkxhezZ8LjMirDI7HjzECBBA8cqVjohjOmVkxKE+bzKC6eyfDzxcvGf6xsTAwcfIyvJgzi+HXsWMMHjevgSMXIIAYkZPR+bS0/w9nz2UQiYhiYJKVYfj15i3D+x3bGf69fccQ/PMrPBkBBBAjetoDgXOp6Z+/PXzM8PfzZwZ+CzMGg/5eXmR5gAADAJdYBF9ow6CbAAAAAElFTkSuQmCC'); 154 | } 155 | 156 | .help { 157 | height: 14px; 158 | width: 14px; 159 | background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAA4AAAAOCAYAAAAfSC3RAAAACXBIWXMAAAsTAAALEwEAmpwYAAAABGdBTUEAALGOfPtRkwAAACBjSFJNAAB6JQAAgIMAAPn/AACA6QAAdTAAAOpgAAA6mAAAF2+SX8VGAAAC8klEQVR42mL8//8/AwwcvfNL+d///1H//v2PA9IS//79Y/j77/8LIL0ISC/zNuC/C1MLEECMMI0Hbn4PBmqYLC/MIsn4/y/D379/weJMTEwMv4DMa0++Pf/7719umKXYWpA4QACBNe65+jUYKLhQXYKV++OX7wzXH39lePT2K8g2BjF+NgZtaT4GIQEOhmM3Pnz9+/dffLKL3FqAAGLceuGjEtAph7Wk2aVevv/GsPvKawZJflYGT0Mphv9AeObOe4az998x2KuLMEiLcDPsufjqGVCzLUAAMf34+StGUZRV6sPnnww7Lrxk+PblJ0O0rTyDEA8bgzAPO4O7gTgDG+N/hoPXXjK8A6oxVOSX+vr9ZwxAAAA5AMb/Avb4+10FAv8A0d/wAPf4+gD7/v0A7vP6AL/T6ADK2+sAAQAAAD4rFADw9PUAzt/sABAMBAD19/pdAgio8Zc0I9BJD15/YvgDDJBff34xdKy9wMDE+I9BX0GQ4dO33wyPXn1h+PvnH8OD5+8ZWICB9eX7T2mAAGL59v0nAyhg/wDxrz9ANjBAQHwbLQmG90Bn96w+z/Dj1x8GUNj/ARr2H+hsoI0MAAHEAiSe/vr7V0UaGGqfPn9j+PfvDwMo/kpmHQVHx9/ffxiApoEDSlJCmOH7z98MQMueAgQQE9Daxc9ef2UwUBRkYGWEKPz/9x9DW6IFQ0uCOcMfoEF/gBpBcWuqLs5w6+F7BqD3FgMEEBPQxiUbj91/xsLEwOBpIsPAysLI8OfPb4YV+28wrDpwE5II/v1mcDdXZWBlZmJYsOPqM2CALgEIIHACSOjaF/wHmAAy/XS4fwNtO3blCcOjF+8Z/gEDRFqcn8FKW5qBhYWZoWnBia/AhBJ/aGLYWoAAgie5oPptoNQzOdReRVJdXoiBnY0ZLP79xx+GK3dfM8zbfuU5MEnmHp8aCU5yAAHEiJzIXUvXKQOTGTCR/4sDpg5gIv8PTHb/XgAT/CIge9mZmTHwRA4QYABQyY5ecbnnNAAAAABJRU5ErkJggg=='); 160 | } 161 | 162 | .hotpatch { 163 | height: 15px; 164 | width: 15px; 165 | margin-top: -1px; 166 | background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAA8AAAAPCAYAAAFM0aXcAAAACXBIWXMAAAsTAAALEwEAmpwYAAAABGdBTUEAALGOfPtRkwAAACBjSFJNAAB6JQAAgIMAAPn/AACA6QAAdTAAAOpgAAA6mAAAF2+SX8VGAAACw0lEQVR42mL8//8/AwgABBDTxxcv97/vZvsPEECMMBGAAGL536Py/8P/RwwAAcTwZdWcQ3+iVf+/9mP8/86S5T9AAIGVfJ4j+/+vkDbDw9VnvwAEEFwPDAAEEMv/XJP/bx+dA3N4ijYfAAggFgb5DwzMcixgAQ57b0eAAGJheCjAwGgmwMDALQIWBAggBpAZIPzj2ukGoG0Nl5xMP/ytd/9wVI774c8fPxMAAgAhAN7/BPjBtb/6679A/cqOAP3zAAAVgIsA5CUyACouAA/37+9iAogBqGrOh+cv/n+aLfP//eGk/w+f7wOzQRhkMkAAwa0ACnwAKn4D48MwQABh+AMZAAQQC4zxfXJxw4/lkwL4lBQVrj0XYODQMZ4CEECM/3KM//97/4nh/ec7cB3fJ2xk4IkOYgAIIKbfPcfggl+11Bi+zdzL8J+Th+Gv6F8GgAAC6wSFzodX9xg+F+1l4F3sDlcMEEBgnR+VVICeZWFg/P6FgdEyFoxZBMUZAAIIrPOjGQMD88+XDH/ZxSFBKSbNcC165V2AAAL751ZexlNg8H1A9ydAAOH1JyEAEEAsQP/v4Lh10P2/sAjDFx0dBp4rV+CS/+/cY/h07z6c/3bpAQbhaAcwm61wxlmAAGJh1HNi/3dyMwMDMKz+ftsF9JQRAyyhgIEogsnO8A4cRKAgk9DR/wwQQCyMYuIMTIJ8DJ/tHRi4fdsY7j47DUlhT04w/AKmBN4+Z6ghLAw80/0ZGNQZGPj+3mJgVNJ7DxBALECCDRRD3Bs2MTA92MAgLvCT4c/7l2D1v1R3MrCoSYP5oOD9b+gHFmd8/4CBjZ0tCCCAwAEGStOg4P6hEMnwRcaCQeTpPAbmG7sgQY8MFPUZGO5fBDMFYs8wAgQQWPNlZ7NTQL6pluQHhm8O38GSsDh7PPUdg1JG+hvu0GRR9NAGCDAAI6Y+qpsRI6MAAAAASUVORK5CYII='); 167 | } 168 | 169 | .dataleak { 170 | height: 15px; 171 | width: 13px; 172 | margin-top: -1px; 173 | margin-left: 3px; 174 | background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAwAAAARCAYAAADpPU2iAAAACXBIWXMAAAsTAAALEwEAmpwYAAAABGdBTUEAALGOfPtRkwAAACBjSFJNAAB6JQAAgIMAAPn/AACA6QAAdTAAAOpgAAA6mAAAF2+SX8VGAAACBklEQVR42mL4//8/Azq+fevW/4WLFvzHJgcQQAzYBJubm/6zsrJg1QAQQEwMWMCOa7cZftsEYJNiAAggrDYwzDzwn+He//+7163GsAUggDBsuHRk/38mG3sGFRYGhmUHj2JYABBAKLo3b9r4n6F73f+ar///LwUJrLvz3zk0/P/fn9/hNgEEEMKG37/+zz97jYHBzJVBnYuB4R9ITEOZYa+EEcOUvh64MoAAgpsuZu/+n/Hw+/+5QNOXAwUqvwAFzwHxdSBec/X/p7evwbYABBATTNcrh1gGA3UBBkug6cc+MTDMuA8UZwTiH0Csr8XQ0dEOVgoQQGANB3ZsZeAMjWTw5mVg+AUMpGn3GBje/0Ly6DcGhslXHjPcvHjuP0AAMf7/9++/Z2AQg8DC9Qxa7AwMddehJsMAiP0TiC8eYki5sIoBIICYGBgZGcVFRRi+An157B0D1LdIAOSGF0D86R0DLwc7A0AAMYI88vDmtf8Kn9UYGDiBgf8bOcyB+DIQ/2VgEF3iyXBjyWwGgAAC+0FeXYuRaXotA8PnjwwMbEhOeQC1QfgTQ0eYL4OQpAwjQAChRNzeHdv+Szj5/GfYdPc/w44n/xnKJv238fX7f+7oIXjEAQQQ2EnI4Om92/8zqxoYfv/7x+BspMtQUFDAwMLBBQ8GgADC0ICITaDvmZgZ0aUAAgwA5489hLuadr8AAAAASUVORK5CYII='); 175 | } 176 | 177 | .fileico, .minusico, .plusico, .exploit, .help, .hotpatch, .dataleak { 178 | margin-left: 2px; 179 | cursor:pointer; 180 | float:left; 181 | } 182 | 183 | 184 | .vulntitle { 185 | margin-left: 20px; 186 | } 187 | 188 | #window1, #window2, #window3, #window4, #window5 { 189 | display:none; 190 | position:absolute; 191 | top:200px; 192 | right:200px; 193 | } 194 | 195 | #funccode { 196 | display:none; 197 | position:absolute; 198 | } 199 | 200 | #funccodecontent { 201 | border: 1px solid #888; 202 | opacity: .96; 203 | max-height: 250px; 204 | overflow-y: scroll; 205 | } 206 | 207 | #funccodetitle { 208 | border: 1px solid #888; 209 | padding: 4px; 210 | } 211 | 212 | .windowtitlebar, .funclisttitlebar { 213 | background: #364C63; 214 | height:30px; 215 | border: 2px solid black; 216 | color: #FFFFFF; 217 | z-index:3; 218 | cursor: move; 219 | white-space:nowrap; 220 | width:100%; 221 | } 222 | 223 | .windowtitle, .funclisttitle { 224 | margin-left:20px; 225 | height:30px; 226 | color: #DFDFDF; 227 | font-weight:bold; 228 | font-size:14px; 229 | padding-top:7px; 230 | margin-bottom:-7px; 231 | overflow:hidden; 232 | white-space:nowrap; 233 | } 234 | 235 | #scrolldiv { 236 | border-left: 2px solid black; 237 | width:84px; 238 | height:100%; 239 | position:relative; 240 | float:left; 241 | background-color: black; 242 | } 243 | 244 | #scrollwindow { 245 | height:50px; 246 | width:100%; 247 | position:absolute; 248 | } 249 | 250 | #scrollcode { 251 | width:85px; 252 | height:100%; 253 | overflow:hidden; 254 | } 255 | 256 | #scrollcode table { 257 | font-size:.15em; 258 | } 259 | #scrollcode td { 260 | padding: 0px; 261 | margin: 0px; 262 | line-height:0.02; 263 | height:0.02em; 264 | } 265 | 266 | .closebutton, .maxbutton { 267 | height:15px; 268 | width:15px; 269 | top:10px; 270 | position:absolute; 271 | } 272 | 273 | .maxbutton { 274 | right:40px; 275 | } 276 | 277 | .closebutton { 278 | right:20px; 279 | } 280 | 281 | .windowcontent, .funclistcontent { 282 | overflow:auto; 283 | opacity: .98; 284 | border-left: 2px solid black; 285 | border-right: 2px solid black; 286 | height: 100%; 287 | width:100%; 288 | } 289 | 290 | #windowcontent1 { 291 | float:left; 292 | margin-left:84px; 293 | position:absolute; 294 | width:516px; 295 | } 296 | 297 | .return { 298 | display:none; 299 | position:absolute; 300 | margin-top:-2px; 301 | margin-left:20px; 302 | font-size:16px; 303 | font-family: monospace; 304 | font-weight:bold; 305 | cursor:pointer; 306 | } 307 | 308 | .windowfooter , .funclistfooter { 309 | cursor:se-resize; 310 | background: #364C63; 311 | height:15px; 312 | border: 2px solid black; 313 | width:100%; 314 | } 315 | 316 | .funclistline { 317 | cursor: pointer; 318 | } 319 | 320 | .exploittitlebox { 321 | background-color: black; 322 | padding-left: 10px; 323 | margin-top: 10px; 324 | font-weight: bold; 325 | width: 390px; 326 | } 327 | 328 | .exploittitle { 329 | color:white; 330 | font-weight: bold; 331 | white-space: nowrap; 332 | width: 350px; 333 | float: left; 334 | } 335 | 336 | .exploitbox { 337 | width: 400px; 338 | } 339 | 340 | .exploitcontentbox { 341 | border: 2px solid black; 342 | background-color: #333333; 343 | padding: 3px; 344 | } 345 | 346 | .helptitle, .helpbox { 347 | border:1px solid black; 348 | padding-left:10px; 349 | padding-right:10px 350 | } 351 | 352 | .helptitle { 353 | background-color: #364C63; 354 | } 355 | 356 | .helpbox { 357 | background-color: #333333; 358 | } 359 | 360 | .linenrcolumn { 361 | text-align:right; 362 | } 363 | 364 | .filebox { 365 | margin-left: 20px; 366 | margin-right: 20px; 367 | color: black; 368 | } 369 | 370 | table { 371 | font-size: 14; 372 | } 373 | 374 | 375 | .menutable { 376 | color: #C0C0C0; 377 | } 378 | 379 | input[type="text"],select { 380 | color: #000 !important; 381 | background: #989FA2 !important; 382 | font-size:12px; 383 | padding:2px; 384 | border:1px solid #000; 385 | } 386 | 387 | .closebutton,.maxbutton, 388 | .Button { 389 | background-color:#454545; 390 | color:#fff; 391 | border:1px solid #000; 392 | } 393 | 394 | .Defined { 395 | text-decoration: none; 396 | color:#0000FF; 397 | } 398 | 399 | label { 400 | padding:10px; 401 | margin:10px; 402 | } 403 | 404 | img { 405 | border:0; 406 | } 407 | 408 | ul { 409 | list-style-type:none; 410 | } 411 | 412 | hr { 413 | border:1px solid black; 414 | } 415 | 416 | a { 417 | color: #DFDFDF; 418 | } 419 | 420 | .filename 421 | { 422 | text-decoration:underline; 423 | font-weight:bold; 424 | } 425 | 426 | .codebox { 427 | margin-bottom: 10px; 428 | background-color: #DFDFDF; 429 | } 430 | 431 | .vulnblocktitle { 432 | margin-left: 20px; 433 | font-size: 10pt; 434 | padding:5px; 435 | width:200px; 436 | } 437 | 438 | .vulnblock { 439 | border:1px solid black; 440 | } 441 | 442 | #filecanvas , #functioncanvas{ 443 | display:none; 444 | } 445 | 446 | .jumplink { 447 | position:absolute; 448 | margin-top:-40px; 449 | } -------------------------------------------------------------------------------- /css/rips.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/J0o1ey/rips-Chinese/5fa53b71a40193a6320db45813e2fb9b85b9fdd4/css/rips.png -------------------------------------------------------------------------------- /css/scanning.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/J0o1ey/rips-Chinese/5fa53b71a40193a6320db45813e2fb9b85b9fdd4/css/scanning.gif -------------------------------------------------------------------------------- /css/term.css: -------------------------------------------------------------------------------- 1 | #scrollwindow { 2 | background-color: grey; 3 | opacity:0.22; 4 | } 5 | 6 | .userinput, .persistent { 7 | list-style-type: disc; 8 | color:white; 9 | } 10 | .validated { 11 | list-style-type: disc; 12 | color:red; 13 | } 14 | .functioninput { 15 | list-style-type: disc; 16 | color:yellow; 17 | } 18 | 19 | .vulnblock { 20 | background-color:#223344; 21 | color:#FFF; 22 | font-weight:bold; 23 | } 24 | 25 | .codebox { 26 | margin-bottom: 10px; 27 | background-color: #101820; 28 | } 29 | 30 | .windowcontent, .filecanvas, #funccodecontent, #funccodetitle, .funclistcontent { 31 | background-color: #101820; 32 | } 33 | 34 | .markline { 35 | background-color: #0A212C; 36 | } 37 | 38 | .requires 39 | {color: #D2A8A1; font-weight:bold;} 40 | 41 | .linenr 42 | {color: #444;} 43 | 44 | .link 45 | {color: #DC578C; font-weight:bold;} 46 | 47 | .code, .vulntitle { 48 | font-size:9pt; 49 | font-family: "Bitstream Vera Sans Mono", "Monaco", "Courier New", monospace; 50 | } 51 | 52 | .code, 53 | .phps-code, .phps-t-curly-open, .phps-t-dollar-open-curly-braces, .vulntitle 54 | {color: #B5C9C9; } 55 | 56 | .phps-t-string, 57 | .phps-t-eval, 58 | .phps-t-print, 59 | .phps-t-include, 60 | .phps-t-include-once, 61 | .phps-t-require, 62 | .phps-t-require-once, 63 | .phps-t-isset, 64 | .phps-t-empty, 65 | .phps-t-while, 66 | .phps-t-do, 67 | .phps-t-try, 68 | .phps-t-catch, 69 | .phps-t-exit, 70 | .phps-t-unset, 71 | .phps-t-list, 72 | .phps-t-array, 73 | .phps-t-echo, 74 | .phps-t-start-heredoc, 75 | .phps-t-end-heredoc 76 | {color: #FFFFFF;} 77 | /*E1E1F9*/ 78 | 79 | .phps-t-open-tag, 80 | .phps-t-close-tag, 81 | .phps-t-and-equal, 82 | .phps-t-concat-equal, 83 | .phps-t-div-equal, 84 | .phps-t-minus-equal, 85 | .phps-t-mod-equal, 86 | .phps-t-mul-equal, 87 | .phps-t-or-equal, 88 | .phps-t-plus-equal, 89 | .phps-t-sl-equal, 90 | .phps-t-sr-equal, 91 | .phps-t-xor-equal, 92 | .phps-t-is-equal, 93 | .phps-t-is-greater-or-equal, 94 | .phps-t-is-identical, 95 | .phps-t-is-not-equal, 96 | .phps-t-is-not-identical, 97 | .phps-t-object-operator, 98 | .phps-t-double-colon, 99 | .phps-t-paamayim-nekudotayim, 100 | .phps-t-if, 101 | .phps-t-isset, 102 | .phps-t-exclaim, 103 | .phps-t-for, 104 | .phps-t-foreach, 105 | .phps-t-return, 106 | .phps-t-double-arrow, 107 | .phps-t-as, 108 | .phps-t-or, 109 | .phps-t-case, 110 | .phps-t-default, 111 | .phps-t-break, 112 | .phps-t-continue, 113 | .phps-t-goto, 114 | .phps-t-and, 115 | .phps-t-xor, 116 | .phps-t-global, 117 | .phps-t-logical-and, 118 | .phps-t-logical-or, 119 | .phps-t-boolean-or, 120 | .phps-t-boolean-and, 121 | .phps-t-else, 122 | .phps-t-elseif, 123 | .phps-t-switch, 124 | .phps-t-use, 125 | .phps-t-var, 126 | .phps-t-inc, 127 | .phps-t-dec, 128 | .phps-t-function, 129 | .phps-t-public, 130 | .phps-t-private, 131 | .phps-t-protected, 132 | .phps-t-static, 133 | .phps-t-class, 134 | .phps-t-new, 135 | .phps-t-bool-cast, 136 | .phps-t-double-cast, 137 | .phps-t-int-cast, 138 | .phps-t-unset-cast, 139 | .phps-t-file, 140 | .phps-t-line, 141 | .phps-t-dir, 142 | .phps-t-func-c, .phps-t-class-c, 143 | .phps-t-method-c, 144 | .phps-t-ns-c 145 | {color: #CF628D;} 146 | 147 | .phps-t-const 148 | {color: #CF628D;} 149 | 150 | .phps-t-variable, 151 | .phps-t-variable-marked, 152 | .phps-t-string-varname, 153 | .funclistline 154 | {color: #1487BD;} 155 | 156 | .phps-t-variable-marked 157 | {background-color:#132F3C;} 158 | 159 | .phps-tainted-var 160 | {color: #1AA9EC;} 161 | 162 | .phps-t-lnumber 163 | {color: #CF6A4C} 164 | 165 | .phps-t-encapsed-and-whitespace, 166 | .phps-t-constant-encapsed-string 167 | {color: #6C8EB7;} 168 | /* FFCE42 */ 169 | .phps-t-inline-html 170 | {color: #FFCE42;} 171 | 172 | .phps-t-comment, 173 | .phps-t-ml-comment, 174 | .phps-t-doc-comment 175 | {color: #2C425D} 176 | -------------------------------------------------------------------------------- /css/twilight.css: -------------------------------------------------------------------------------- 1 | #scrollwindow { 2 | background-color: grey; 3 | opacity:0.22; 4 | } 5 | 6 | .userinput, .persistent { 7 | list-style-type: disc; 8 | color:white; 9 | } 10 | .validated { 11 | list-style-type: disc; 12 | color:red; 13 | } 14 | .functioninput { 15 | list-style-type: disc; 16 | color:yellow; 17 | } 18 | 19 | .codebox { 20 | margin-bottom: 10px; 21 | background-color: #141414; 22 | } 23 | 24 | .vulnblock { 25 | background-color:#151D24; 26 | color:#FFCC44; 27 | font-weight:bold; 28 | } 29 | 30 | .windowcontent, .filecanvas, #funccodecontent, #funccodetitle, .funclistcontent { 31 | background-color: #141414; 32 | } 33 | 34 | .markline { 35 | background-color: #531107; 36 | } 37 | 38 | .requires 39 | {color: #D2A8A1; font-weight:bold;} 40 | 41 | .linenr 42 | {color: #888;} 43 | 44 | .link 45 | {color: #CF6A4C; font-weight:bold;} 46 | 47 | .code, .vulntitle { 48 | font-size:9pt; 49 | font-family: "Bitstream Vera Sans Mono", "Monaco", "Courier New", monospace; 50 | } 51 | 52 | .code, 53 | .phps-code, .phps-t-curly-open, .phps-t-dollar-open-curly-braces, .vulntitle 54 | {color: white; } 55 | 56 | .phps-t-string, 57 | .phps-t-eval, 58 | .phps-t-print, 59 | .phps-t-include, 60 | .phps-t-include-once, 61 | .phps-t-require, 62 | .phps-t-require-once, 63 | .phps-t-isset, 64 | .phps-t-empty, 65 | .phps-t-while, 66 | .phps-t-do, 67 | .phps-t-try, 68 | .phps-t-catch, 69 | .phps-t-exit, 70 | .phps-t-unset, 71 | .phps-t-list, 72 | .phps-t-array, 73 | .phps-t-echo, 74 | .phps-t-start-heredoc, 75 | .phps-t-end-heredoc 76 | {color: #DAD085;} 77 | 78 | 79 | .phps-t-open-tag, 80 | .phps-t-close-tag, 81 | .phps-t-and-equal, 82 | .phps-t-concat-equal, 83 | .phps-t-div-equal, 84 | .phps-t-minus-equal, 85 | .phps-t-mod-equal, 86 | .phps-t-mul-equal, 87 | .phps-t-or-equal, 88 | .phps-t-plus-equal, 89 | .phps-t-sl-equal, 90 | .phps-t-sr-equal, 91 | .phps-t-xor-equal, 92 | .phps-t-is-equal, 93 | .phps-t-is-greater-or-equal, 94 | .phps-t-is-identical, 95 | .phps-t-is-not-equal, 96 | .phps-t-is-not-identical, 97 | .phps-t-object-operator, 98 | .phps-t-double-colon, 99 | .phps-t-paamayim-nekudotayim, 100 | .phps-t-if, 101 | .phps-t-isset, 102 | .phps-t-exclaim, 103 | .phps-t-for, 104 | .phps-t-foreach, 105 | .phps-t-return, 106 | .phps-t-double-arrow, 107 | .phps-t-as, 108 | .phps-t-or, 109 | .phps-t-case, 110 | .phps-t-default, 111 | .phps-t-break, 112 | .phps-t-continue, 113 | .phps-t-goto, 114 | .phps-t-and, 115 | .phps-t-xor, 116 | .phps-t-global, 117 | .phps-t-logical-and, 118 | .phps-t-logical-or, 119 | .phps-t-boolean-or, 120 | .phps-t-boolean-and, 121 | .phps-t-else, 122 | .phps-t-elseif, 123 | .phps-t-switch, 124 | .phps-t-use, 125 | .phps-t-var, 126 | .phps-t-inc, 127 | .phps-t-dec, 128 | .phps-t-function, 129 | .phps-t-public, 130 | .phps-t-private, 131 | .phps-t-protected, 132 | .phps-t-static, 133 | .phps-t-class, 134 | .phps-t-new, 135 | .phps-t-bool-cast, 136 | .phps-t-double-cast, 137 | .phps-t-int-cast, 138 | .phps-t-unset-cast, 139 | .phps-t-file, 140 | 141 | .phps-t-line, 142 | 143 | .phps-t-dir, 144 | 145 | .phps-t-func-c, 146 | 147 | .phps-t-class-c, 148 | 149 | .phps-t-method-c, 150 | 151 | .phps-t-ns-c 152 | {color: #9B703F;} 153 | 154 | .phps-t-const 155 | {color: #CF6A4C;} 156 | 157 | .phps-t-variable, 158 | .phps-t-variable-marked, 159 | .phps-t-string-varname, 160 | .funclistline 161 | {color: #7587A6;} 162 | 163 | .phps-t-variable-marked 164 | {background-color:darkred;} 165 | 166 | .phps-tainted-var 167 | {color: #9ABDFB;} 168 | 169 | .phps-t-lnumber 170 | {color: #CF6A4C} 171 | 172 | .phps-t-encapsed-and-whitespace, 173 | .phps-t-constant-encapsed-string 174 | {color: #8F9D6A;} 175 | 176 | .phps-t-inline-html 177 | {color: #F9EE98;} 178 | 179 | .phps-t-comment, 180 | .phps-t-ml-comment, 181 | .phps-t-doc-comment 182 | {color: #5F5A60} 183 | -------------------------------------------------------------------------------- /index.php: -------------------------------------------------------------------------------- 1 | 17 | 18 | 19 | 20 | \n"; 27 | } 28 | ?> 29 | 30 | 31 | 32 | 33 | RIPS汉化版--BY:J0o1ey QQ547006660 34 | 47 | 48 | 49 | 50 |
51 |
52 | 53 | 156 | 160 |
54 | 55 | 56 | 57 | 59 | 61 | 62 | 63 | 64 | 83 | 84 | 119 | 120 | 121 | 122 | 123 | 139 | 140 | 143 | 146 | 147 |
源码的绝对路径: 58 | 扫描子目录 60 |
扫描级别: 65 | 82 | 漏洞类型: 85 | 118 |
代码样式: 124 | 134 | 138 | 正则表达式: 141 | 142 | 144 | 145 |
148 | 155 | 		157 | 158 | 159 |
161 |
162 | 163 |
164 |
165 |
166 | 167 |
客官,淫家正在扫描 ... 168 |
169 |
170 | 171 |
172 | 173 |
174 |

快速使用方法:

175 |

查找本地PHP源代码路径/文件 (eg. F:/www/project1/ or F:/www/index.php), 选择你需要审计的漏洞类型,并点击扫描!
176 | 勾选扫描子目录,会将所有子目录包含到扫描中。建议只扫描项目的根目录。子目录中的文件将被PHP代码所包含的RIP自动扫描。然而,启用子目录可以提高扫描结果的成功率(结果显示)。

177 |

高级骚操作:

178 |

通过选择不同的扫描级别(默认级别1),调试错误或提高扫描结果。
179 | 扫描完成后,4个新按钮将出现在右上角。您可以通过在窗口中单击其名称来找到不同类型的漏洞之间的选择。您可以点击右上角的用户输入来获取列表的入口点、列表的函数和所有用户定义的函数或文件的列表,以及所有扫描文件及其包含的图表。所有列表都引用到代码查看器。

180 |

风格:

181 |

通过选择不同的代码样式来更改语法高亮模式。
182 | 在扫描之前,您可以选择代码流应该显示的方式:自下而上或自上而下。.

183 |

图标:

184 | 190 |

选项:

191 | 203 |

提示:

204 | 209 |
210 | 211 |
212 | 213 | 214 | -------------------------------------------------------------------------------- /js/exploit.js: -------------------------------------------------------------------------------- 1 | /** 2 | RIPS - A static source code analyser for vulnerabilities in PHP scripts 3 | by Johannes Dahse (johannes.dahse@rub.de) 4 | **/ 5 | 6 | function editExploit() 7 | { 8 | document.getElementById('exploitcode').style.display = "none"; 9 | document.getElementById('exploitbuild').style.display = "block"; 10 | } 11 | 12 | function deleteMethod(method) 13 | { 14 | document.getElementById(method+'box').style.display = "none"; 15 | } 16 | 17 | function getQuery(method) 18 | { 19 | var query = ""; 20 | var elements = document.getElementById(method).elements; 21 | for(var i=0;i"; 45 | output = output + "
//

$target = $argv[1];

"; 46 | 47 | var target = document.getElementById('target').value; 48 | var cookiejar = document.getElementById('cookiejar').value; 49 | var exectime = document.getElementById('exectime').value; 50 | var ssl = document.getElementById('ssl').checked 51 | var auth = document.getElementById('auth').checked 52 | 53 | if(document.getElementById('$_FILES') != undefined) 54 | output = output + "$postData = array();
$postData[ 'file' ] = \"@" + document.getElementById('$_FILES').elements[0].value + "\";

"; 55 | 56 | if(auth) 57 | { 58 | output = output + "$username = \"\";
$password = \"\";

"; 59 | } 60 | 61 | output = output + "$ch = curl_init();
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
"; 62 | 63 | if(document.getElementById('$_GET') != undefined) 64 | { 65 | var getquery = getQuery('$_GET'); 66 | output = output + "curl_setopt($ch, CURLOPT_URL, \"" + target + '?' + getquery + "\");
"; 67 | output = output + "curl_setopt($ch, CURLOPT_HTTPGET, 1);
"; 68 | } 69 | else 70 | { 71 | output = output + "curl_setopt($ch, CURLOPT_URL, \"" + target + "\");
"; 72 | } 73 | 74 | output = output + "curl_setopt($ch, CURLOPT_USERAGENT, \"Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)\");
"; 75 | 76 | 77 | if(document.getElementById('$_POST') != undefined || document.getElementById('$_FILES') != undefined) 78 | output = output + "curl_setopt($ch, CURLOPT_POST, 1);
"; 79 | 80 | if(document.getElementById('$_POST') != undefined) 81 | { 82 | var postquery = getQuery('$_POST'); 83 | output = output + "curl_setopt($ch, CURLOPT_POSTFIELDS, \"" + postquery + "\");
"; 84 | } 85 | 86 | if(document.getElementById('$_FILES') != undefined) 87 | output = output + "curl_setopt($ch, CURLOPT_POSTFIELDS, $postData );
"; 88 | 89 | if(document.getElementById('$_COOKIE') != undefined) 90 | { 91 | var cookie = getQuery('$_COOKIE'); 92 | output = output + "curl_setopt($ch, CURLOPT_COOKIE, \"" + cookie + "\");
"; 93 | } 94 | 95 | if(document.getElementById('$_SERVER') != undefined) 96 | { 97 | var elements = document.getElementById('$_SERVER').elements; 98 | for(var i=0;i"; 102 | else if(elements[i].name == 'HTTP_ACCEPT') 103 | output = output + "curl_setopt($ch, CURLOPT_HTTPHEADER, \"Accept: "+elements[i].value+"\");
"; 104 | else if(elements[i].name == 'HTTP_ACCEPT_LANGUAGE') 105 | output = output + "curl_setopt($ch, CURLOPT_HTTPHEADER, \"Accept-Language: "+elements[i].value+"\");
"; 106 | else if(elements[i].name == 'HTTP_ACCEPT_ENCODING') 107 | output = output + "curl_setopt($ch, CURLOPT_ENCODING, \""+elements[i].value+"\");
"; 108 | else if(elements[i].name == 'HTTP_ACCEPT_CHARSET') 109 | output = output + "curl_setopt($ch, CURLOPT_HTTPHEADER, \"Accept-Charset: "+elements[i].value+"\");
"; 110 | else if(elements[i].name == 'HTTP_KEEP_ALIVE') 111 | output = output + "curl_setopt($ch, CURLOPT_HTTPHEADER, array(\"Connection: keep-alive\", \"Keep-Alive: "+elements[i].value+"\"));
"; 112 | else if(elements[i].name == 'HTTP_CONNECTION') 113 | output = output + "curl_setopt($ch, CURLOPT_HTTPHEADER, \"Connection: "+elements[i].value+"\");
"; 114 | } 115 | } 116 | 117 | 118 | if(exectime != "") 119 | output = output + "curl_setopt($ch, CURLOPT_TIMEOUT, " + exectime + ");
curl_setopt($ch, CURLOPT_LOW_SPEED_LIMIT, " + exectime + ");
curl_setopt($ch, CURLOPT_LOW_SPEED_TIME, " + exectime + ");
"; 120 | 121 | if(cookiejar != "") 122 | output = output + "curl_setopt($ch, CURLOPT_COOKIEJAR, \"" + cookiejar + "\");
"; 123 | 124 | if(ssl) 125 | { 126 | output = output + "curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
"; 127 | output = output + "curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, FALSE);
"; 128 | output = output + "curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
"; 129 | } 130 | 131 | if(auth) 132 | { 133 | output = output + "curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
"; 134 | output = output + "curl_setopt($ch, CURLOPT_USERPWD, \"$username:$password\");
"; 135 | } 136 | 137 | output = output + "$buf = curl_exec ($ch);
curl_close($ch);
unset($ch);
"; 138 | output = output + "
echo $buf;
"; 139 | 140 | var exploitdiv = document.getElementById('exploitcode'); 141 | exploitdiv.innerHTML = output; 142 | exploitdiv.style.display = "block"; 143 | document.getElementById('exploitbuild').style.display = "none"; 144 | } 145 | 146 | function setssl() 147 | { 148 | var targetelement = document.getElementById('target'); 149 | var newset; 150 | var oldset = targetelement.value; 151 | if(document.getElementById('ssl').checked) 152 | { 153 | oldset = oldset.replace(/https:/, "http:"); 154 | newset = oldset.replace(/http:/, "https:"); 155 | } else 156 | { 157 | newset = oldset.replace(/https/, "http"); 158 | } 159 | targetelement.value = newset; 160 | } -------------------------------------------------------------------------------- /js/hotpatch.js: -------------------------------------------------------------------------------- 1 | function getParams(method) 2 | { 3 | var query = ""; 4 | var elements = document.getElementById(method).elements; 5 | for(var i=0;i $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI yabb directory traversal attempt"; flow:to_server,established; uricontent:"/YaBB"; nocase; content:"../"; classtype:attempted-recon;) 38 | 39 | 40 | // mod_security 41 | 42 | // SERVER 43 | SecRule REQUEST_HEADERS:User-Agent "(?:\b(?:m(?:ozilla\/4\.0 \(compatible\)|etis)|webtrends security analyzer|pmafind)\b|n(?:-stealth|sauditor|essus|ikto)|b(?:lack ?widow|rutus|ilbo)|(?:jaascoi|paro)s|webinspect|\.nasl)" 44 | "deny,log,auditlog,status:404,msg:'Request Indicates a Security Scanner Scanned the Site',id:'990002',severity:'4'" 45 | 46 | http://www.modsecurity.org/documentation/modsecurity-apache/1.9.3/html-multipage/04-rules.html 47 | */ -------------------------------------------------------------------------------- /lib/analyzer.php: -------------------------------------------------------------------------------- 1 | . 15 | 16 | **/ 17 | 18 | class Analyzer 19 | { 20 | // reconstructs string from a list of tokens 21 | function get_tokens_value($file_name, $tokens, $var_declares, $var_declares_global, $tokenid, $start=0, $stop=0, $source_functions=array()) 22 | { 23 | $value = ''; 24 | if(!$stop) $stop = count($tokens); 25 | // check all tokens until instruction ends 26 | for($i=$start; $i<$stop; $i++) 27 | { 28 | if( is_array($tokens[$i]) ) 29 | { 30 | // trace variables for its values 31 | if( $tokens[$i][0] === T_VARIABLE 32 | || ($tokens[$i][0] === T_STRING 33 | && $tokens[$i+1] !== '(' ) ) 34 | { 35 | if(!in_array($tokens[$i][1], Sources::$V_USERINPUT)) 36 | { 37 | // constant CONSTANTS 38 | if ($tokens[$i][1] === 'DIRECTORY_SEPARATOR') 39 | $value .= '/'; 40 | else if ($tokens[$i][1] === 'PATH_SEPARATOR') 41 | $value .= ';'; 42 | // global $varname -> global scope, CONSTANTS 43 | else if( (isset($tokens[$i-1]) && is_array($tokens[$i-1]) && $tokens[$i-1][0] === T_GLOBAL) || $tokens[$i][1][0] !== '$' ) 44 | $value .= self::get_var_value($file_name, $tokens[$i], $var_declares_global, $var_declares_global, $tokenid); 45 | // local scope 46 | else 47 | $value .= self::get_var_value($file_name, $tokens[$i], $var_declares, $var_declares_global, $tokenid); 48 | } else 49 | { 50 | if(isset($tokens[$i][3])) 51 | $parameter_name = str_replace(array("'",'"'), '', $tokens[$i][3][0]); 52 | else 53 | $parameter_name = ''; 54 | 55 | // mark userinput for quote analysis 56 | if( ($tokens[$i][1] !== '$_SERVER' || (empty($parameter_name) || in_array($parameter_name, Sources::$V_SERVER_PARAMS) || substr($parameter_name,0,5) === 'HTTP_')) 57 | && !((is_array($tokens[$i-1]) 58 | && in_array($tokens[$i-1][0], Tokens::$T_CASTS)) 59 | || (is_array($tokens[$i+1]) 60 | && in_array($tokens[$i+1][0], Tokens::$T_ARITHMETIC))) ) 61 | $value.='$_USERINPUT'; 62 | else 63 | $value.='1'; 64 | } 65 | } 66 | // add strings 67 | // except first string of define('var', 'value') 68 | else if( $tokens[$i][0] === T_CONSTANT_ENCAPSED_STRING 69 | && !($tokens[$i-2][0] === T_STRING && $tokens[$i-2][1] === 'define')) 70 | { 71 | // add string without quotes 72 | $value .= substr($tokens[$i][1], 1, -1); 73 | } 74 | // add directory name dirname(__FILE__) 75 | else if( $tokens[$i][0] === T_FILE 76 | && ($tokens[$i-2][0] === T_STRING && $tokens[$i-2][1] === 'dirname')) 77 | { 78 | // overwrite value because __FILE__ is absolute 79 | // add slash just to be sure 80 | $value = dirname($file_name).'/'; 81 | } 82 | // add numbers 83 | else if( $tokens[$i][0] === T_LNUMBER || $tokens[$i][0] === T_DNUMBER || $tokens[$i][0] === T_NUM_STRING ) 84 | { 85 | $value .= round($tokens[$i][1]); 86 | } 87 | else if( $tokens[$i][0] === T_ENCAPSED_AND_WHITESPACE ) 88 | { 89 | $value .= $tokens[$i][1]; 90 | } 91 | // if in foreach($bla as $key=>$value) dont trace $key, $value back 92 | else if( $tokens[$i][0] === T_AS ) 93 | { 94 | break; 95 | } 96 | // function calls 97 | else if($tokens[$i][0] === T_STRING && $tokens[$i+1] === '(') 98 | { 99 | // stop if strings are fetched from database/file (otherwise SQL query will be added) 100 | if (in_array($tokens[$i][1], Sources::$F_DATABASE_INPUT) || in_array($tokens[$i][1], Sources::$F_FILE_INPUT) || isset(Info::$F_INTEREST[$tokens[$i][1]])) 101 | { 102 | break; 103 | } 104 | // add userinput for functions that return userinput 105 | else if(in_array($tokens[$i][1], $source_functions)) 106 | { 107 | $value .= '$_USERINPUT'; 108 | } 109 | } 110 | } 111 | } 112 | 113 | return $value; 114 | 115 | } 116 | 117 | // traces values of variables and reconstructs string 118 | function get_var_value($file_name, $var_token, $var_declares, $var_declares_global, $last_token_id, $source_functions=array()) 119 | { 120 | $var_value = ''; 121 | 122 | // CONSTANTS 123 | if($var_token[1][0] !== '$') 124 | $var_token[1] = strtoupper($var_token[1]); 125 | 126 | // check if var declaration could be found for this var 127 | if( isset($var_declares[$var_token[1]]) ) 128 | { 129 | foreach($var_declares[$var_token[1]] as $var_declare) 130 | { 131 | // check if array keys are the same (if it is an array) 132 | $array_key_diff = false; 133 | if( isset($var_token[3]) && !empty($var_declare->array_keys) ) 134 | $array_key_diff = array_diff_assoc($var_token[3], $var_declare->array_keys); 135 | 136 | if( $var_declare->id < $last_token_id && empty($array_key_diff)) 137 | $var_value .= self::get_tokens_value($file_name, $var_declare->tokens, $var_declares, $var_declares_global, $var_declare->id, $var_declare->tokenscanstart, $var_declare->tokenscanstop, $source_functions); 138 | 139 | if($var_value) 140 | break; 141 | } 142 | } 143 | return $var_value; 144 | } 145 | 146 | // get end of codeblock (Detect brace ending, ignore new brace opening and closing in between) 147 | function getBraceEnd($tokens, $i) 148 | { 149 | $c=1; 150 | $newbraceopen = 1; 151 | while( !($newbraceopen === 0 || $tokens[$i + $c] === ';') ) 152 | { 153 | // watch function calls in function call 154 | if( $tokens[$i + $c] === '(' ) 155 | { 156 | $newbraceopen++; 157 | } 158 | else if( $tokens[$i + $c] === ')' ) 159 | { 160 | $newbraceopen--; 161 | } 162 | if($c>50)break; 163 | $c++; 164 | } 165 | return $c; 166 | } 167 | 168 | function get_ini_paths($path) 169 | { 170 | if(!preg_match('/([;\\\\]|\W*[C-Z]{1}:)/', $path)) 171 | $path = str_replace(':', ';', $path); 172 | return explode(';', $path); 173 | } 174 | } 175 | 176 | ?> -------------------------------------------------------------------------------- /lib/constructer.php: -------------------------------------------------------------------------------- 1 | . 15 | 16 | **/ 17 | 18 | // variable declarations = childs 19 | class VarDeclare 20 | { 21 | public $id; 22 | public $tokens; 23 | public $tokenscanstart; 24 | public $tokenscanstop; 25 | public $value; 26 | public $comment; 27 | public $line; 28 | public $marker; 29 | public $dependencies; 30 | public $stopvar; 31 | public $array_keys; 32 | 33 | function __construct($tokens = array(), $comment = '') 34 | { 35 | $this->id = 0; 36 | $this->tokens = $tokens; 37 | $this->tokenscanstart = 0; 38 | $this->tokenscanstop = count($tokens); 39 | $this->value = ''; 40 | $this->comment = $comment; 41 | $this->line = ''; 42 | $this->marker = 0; 43 | $this->dependencies = array(); 44 | $this->stopvar = false; 45 | $this->array_keys = array(); 46 | } 47 | } 48 | 49 | // group vulnerable parts to one vulnerability trace 50 | class VulnBlock 51 | { 52 | public $uid; 53 | public $vuln; 54 | public $category; 55 | public $treenodes; 56 | public $sink; 57 | public $dataleakvar; 58 | public $alternates; 59 | 60 | function __construct($uid = '', $category = 'match', $sink = '') 61 | { 62 | $this->uid = $uid; 63 | $this->vuln = false; 64 | $this->category = $category; 65 | $this->treenodes = array(); 66 | $this->sink = $sink; 67 | $this->dataleakvar = array(); 68 | $this->alternates = array(); 69 | } 70 | } 71 | 72 | // used to store new finds 73 | class VulnTreeNode 74 | { 75 | public $id; 76 | public $value; 77 | public $dependencies; 78 | public $title; 79 | public $name; 80 | public $marker; 81 | public $lines; 82 | public $filename; 83 | public $children; 84 | public $funcdepend; 85 | public $funcparamdepend; 86 | public $foundcallee; 87 | public $get; 88 | public $post; 89 | public $cookie; 90 | public $files; 91 | public $server; 92 | 93 | function __construct($value = null) 94 | { 95 | $this->id = 0; 96 | $this->value = $value; 97 | $this->title = ''; 98 | $this->dependencies = array(); 99 | $this->name = ''; 100 | $this->marker = 0; 101 | $this->lines = array(); 102 | $this->filename = ''; 103 | $this->children = array(); 104 | $this->funcdepend = ''; 105 | $this->funcparamdepend = null; 106 | $this->foundcallee = false; 107 | } 108 | } 109 | 110 | // information gathering finds 111 | class InfoTreeNode 112 | { 113 | public $value; 114 | public $dependencies; 115 | public $name; 116 | public $lines; 117 | public $title; 118 | public $filename; 119 | 120 | function __construct($value = null) 121 | { 122 | $this->title = 'File Inclusion'; 123 | $this->value = $value; 124 | $this->dependencies = array(); 125 | $this->name = ''; 126 | $this->lines = array(); 127 | $this->filename = ''; 128 | } 129 | } 130 | 131 | // function declaration 132 | class FunctionDeclare 133 | { 134 | public $value; 135 | public $tokens; 136 | public $name; 137 | public $line; 138 | public $marker; 139 | public $parameters; 140 | 141 | function __construct($tokens) 142 | { 143 | $this->value = ''; 144 | $this->tokens = $tokens; 145 | $this->name = ''; 146 | $this->line = 0; 147 | $this->marker = 0; 148 | $this->parameters = array(); 149 | } 150 | } 151 | 152 | ?> -------------------------------------------------------------------------------- /lib/filer.php: -------------------------------------------------------------------------------- 1 | . 15 | 16 | **/ 17 | 18 | // get all php files from directory, including all subdirectories 19 | function read_recursiv($path, $scan_subdirs) 20 | { 21 | $result = array(); 22 | 23 | $handle = opendir($path); 24 | 25 | if ($handle) 26 | { 27 | while (false !== ($file = readdir($handle))) 28 | { 29 | if ($file !== '.' && $file !== '..') 30 | { 31 | $name = $path . '/' . $file; 32 | if (is_dir($name) && $scan_subdirs) 33 | { 34 | $ar = read_recursiv($name, true); 35 | foreach ($ar as $value) 36 | { 37 | if(in_array(substr($value, strrpos($value, '.')), $GLOBALS['FILETYPES'])) 38 | $result[] = $value; 39 | } 40 | } else if(in_array(substr($name, strrpos($name, '.')), $GLOBALS['FILETYPES'])) 41 | { 42 | $result[] = $name; 43 | } 44 | } 45 | } 46 | } 47 | closedir($handle); 48 | return $result; 49 | } 50 | 51 | ?> -------------------------------------------------------------------------------- /lib/printer.php: -------------------------------------------------------------------------------- 1 | . 15 | 16 | **/ 17 | 18 | // add parsing error to output 19 | function addError($message, $tokens, $line_nr, $filename) 20 | { 21 | $GLOBALS['info'][] = '出现解析错误。请使用debug模式.'; 22 | if($GLOBALS['verbosity'] == 5) 23 | { 24 | $value = highlightline($tokens, '', $line_nr); 25 | $new_find = new InfoTreeNode($value); 26 | $new_find->title = 'Parse error: '.$message; 27 | $new_find->lines[] = $line_nr; 28 | $new_find->filename = $filename; 29 | 30 | $new_block = new VulnBlock('error', 'Debug'); 31 | $new_block->treenodes[] = $new_find; 32 | $new_block->vuln = true; 33 | $GLOBALS['output'][$filename]['error'] = $new_block; 34 | } 35 | } 36 | 37 | // tokens to string for comments 38 | function tokenstostring($tokens) 39 | { 40 | $output = ''; 41 | for($i=0;$i$line_nr: "; 66 | if($title) 67 | { 68 | $output.=''; 69 | $output.="$title "; 70 | } 71 | else if($udftitle) 72 | { 73 | $output.=' '; 74 | } 75 | 76 | $var_count = 0; 77 | 78 | for($i=0;$i$token "; 85 | else if(in_array($token, Tokens::$S_SPACE_WRAP) || in_array($token, Tokens::$S_ARITHMETIC)) 86 | $output .= ' '.$token.' '; 87 | else 88 | $output .= ''.htmlentities($token, ENT_QUOTES, 'utf-8').''; 89 | 90 | } 91 | else if (is_array($token) 92 | && $token[0] !== T_OPEN_TAG 93 | && $token[0] !== T_CLOSE_TAG) 94 | { 95 | 96 | if(in_array($token[0], Tokens::$T_SPACE_WRAP) || in_array($token[0], Tokens::$T_OPERATOR) || in_array($token[0], Tokens::$T_ASSIGNMENT)) 97 | { 98 | $output.= ' {$token[1]} "; 99 | } 100 | else 101 | { 102 | if($token[0] === T_FUNCTION) 103 | { 104 | $reference = false; 105 | $funcname = $tokens[$i+1][0] === T_STRING ? $tokens[$i+1][1] : $tokens[$i+2][1]; 106 | $output .= ''; 107 | $output .= ' '; 108 | } 109 | 110 | $text = htmlentities($token[1], ENT_QUOTES, 'utf-8'); 111 | $text = str_replace(array(' ', "\n"), ' ', $text); 112 | 113 | if($token[0] === T_FUNCTION) 114 | $text.=' '; 115 | 116 | if($token[0] === T_STRING && $reference 117 | && isset($GLOBALS['user_functions_offset'][strtolower($text)])) 118 | { 119 | $text = @'$text\n"; 120 | } 121 | else 122 | { 123 | $span = '$text"; 135 | else 136 | $span.= 'class="phps-'.str_replace('_', '-', strtolower(token_name($token[0])))."\">$text"; 137 | 138 | $text = $span; 139 | 140 | // rebuild array keys 141 | if(isset($token[3])) 142 | { 143 | foreach($token[3] as $key) 144 | { 145 | if($key != '*') 146 | { 147 | $text .= '['; 148 | if(!is_array($key)) 149 | { 150 | if(is_numeric($key)) 151 | $text .= '' . $key . ''; 152 | else 153 | $text .= '\'' . htmlentities($key, ENT_QUOTES, 'utf-8') . '\''; 154 | } else 155 | { 156 | foreach($key as $token) 157 | { 158 | if(is_array($token)) 159 | { 160 | $text .= ''.htmlentities($token[1], ENT_QUOTES, 'utf-8').''; 170 | } 171 | else 172 | $text .= "{$token}"; 173 | } 174 | } 175 | $text .= ']'; 176 | } 177 | } 178 | } 179 | } 180 | $output .= $text; 181 | if(is_array($token) && (in_array($token[0], Tokens::$T_INCLUDES) || in_array($token[0], Tokens::$T_XSS) || $token[0] === 'T_EVAL')) 182 | $output .= ' '; 183 | } 184 | } 185 | } 186 | 187 | if(!empty($comment)) 188 | $output .= ' // '.htmlentities($comment, ENT_QUOTES, 'utf-8').''; 189 | 190 | return $output; 191 | } 192 | 193 | // detect vulnerability type given by the PVF name 194 | // note: same names are used in help.php! 195 | function getVulnNodeTitle($func_name) 196 | { 197 | if(isset($GLOBALS['F_XSS'][$func_name])) 198 | { $vulnname = $GLOBALS['NAME_XSS']; } 199 | else if(isset($GLOBALS['F_HTTP_HEADER'][$func_name])) 200 | { $vulnname = $GLOBALS['NAME_HTTP_HEADER']; } 201 | else if(isset($GLOBALS['F_SESSION_FIXATION'][$func_name])) 202 | { $vulnname = $GLOBALS['NAME_SESSION_FIXATION']; } 203 | else if(isset($GLOBALS['F_DATABASE'][$func_name])) 204 | { $vulnname = $GLOBALS['NAME_DATABASE']; } 205 | else if(isset($GLOBALS['F_FILE_READ'][$func_name])) 206 | { $vulnname = $GLOBALS['NAME_FILE_READ']; } 207 | else if(isset($GLOBALS['F_FILE_AFFECT'][$func_name])) 208 | { $vulnname = $GLOBALS['NAME_FILE_AFFECT']; } 209 | else if(isset($GLOBALS['F_FILE_INCLUDE'][$func_name])) 210 | { $vulnname = $GLOBALS['NAME_FILE_INCLUDE']; } 211 | else if(isset($GLOBALS['F_CONNECT'][$func_name])) 212 | { $vulnname = $GLOBALS['NAME_CONNECT']; } 213 | else if(isset($GLOBALS['F_EXEC'][$func_name])) 214 | { $vulnname = $GLOBALS['NAME_EXEC']; } 215 | else if(isset($GLOBALS['F_CODE'][$func_name])) 216 | { $vulnname = $GLOBALS['NAME_CODE']; } 217 | else if(isset($GLOBALS['F_REFLECTION'][$func_name])) 218 | { $vulnname = $GLOBALS['NAME_REFLECTION']; } 219 | else if(isset($GLOBALS['F_XPATH'][$func_name])) 220 | { $vulnname = $GLOBALS['NAME_XPATH']; } 221 | else if(isset($GLOBALS['F_LDAP'][$func_name])) 222 | { $vulnname = $GLOBALS['NAME_LDAP'];} 223 | else if(isset($GLOBALS['F_POP'][$func_name])) 224 | { $vulnname = $GLOBALS['NAME_POP']; } 225 | else if(isset($GLOBALS['F_OTHER'][$func_name])) 226 | { $vulnname = $GLOBALS['NAME_OTHER']; } // :X 227 | else 228 | $vulnname = "unknown"; 229 | return $vulnname; 230 | } 231 | 232 | // detect vulnerability type given by the PVF name 233 | // note: same names are used in help.php! 234 | function increaseVulnCounter($func_name) 235 | { 236 | if(isset($GLOBALS['F_XSS'][$func_name])) 237 | { $GLOBALS['count_xss']++; } 238 | else if(isset($GLOBALS['F_HTTP_HEADER'][$func_name])) 239 | { $GLOBALS['count_header']++; } 240 | else if(isset($GLOBALS['F_SESSION_FIXATION'][$func_name])) 241 | { $GLOBALS['count_sf']++; } 242 | else if(isset($GLOBALS['F_DATABASE'][$func_name])) 243 | { $GLOBALS['count_sqli']++; } 244 | else if(isset($GLOBALS['F_FILE_READ'][$func_name])) 245 | { $GLOBALS['count_fr']++; } 246 | else if(isset($GLOBALS['F_FILE_AFFECT'][$func_name])) 247 | { $GLOBALS['count_fa']++; } 248 | else if(isset($GLOBALS['F_FILE_INCLUDE'][$func_name])) 249 | { $GLOBALS['count_fi']++; } 250 | else if(isset($GLOBALS['F_CONNECT'][$func_name])) 251 | { $GLOBALS['count_con']++; } 252 | else if(isset($GLOBALS['F_EXEC'][$func_name])) 253 | { $GLOBALS['count_exec']++; } 254 | else if(isset($GLOBALS['F_CODE'][$func_name])) 255 | { $GLOBALS['count_code']++; } 256 | else if(isset($GLOBALS['F_REFLECTION'][$func_name])) 257 | { $GLOBALS['count_ri']++; } 258 | else if(isset($GLOBALS['F_XPATH'][$func_name])) 259 | { $GLOBALS['count_xpath']++; } 260 | else if(isset($GLOBALS['F_LDAP'][$func_name])) 261 | { $GLOBALS['count_ldap']++; } 262 | else if(isset($GLOBALS['F_POP'][$func_name])) 263 | { $GLOBALS['count_pop']++; } 264 | else if(isset($GLOBALS['F_OTHER'][$func_name])) 265 | { $GLOBALS['count_other']++; } // :X 266 | } 267 | 268 | // traced parameter output bottom-up 269 | function traverseBottomUp($tree) 270 | { 271 | echo 'marker) 273 | { 274 | case 1: echo ' class="userinput"'; break; 275 | case 2: echo ' class="validated"'; break; 276 | case 3: echo ' class="functioninput"'; break; 277 | case 4: echo ' class="persistent"'; break; 278 | } 279 | echo '>
  • ' . $tree->value; 280 | 281 | if($tree->children) 282 | { 283 | foreach ($tree->children as $child) 284 | { 285 | traverseBottomUp($child); 286 | } 287 | } 288 | echo '
    • ',"\n"; 289 | } 290 | 291 | // traced parameter output top-down 292 | function traverseTopDown($tree, $start=true, $lines=array()) 293 | { 294 | if($start) echo '
      '; 295 | 296 | foreach ($tree->children as $child) 297 | { 298 | $lines = traverseTopDown($child, false, $lines); 299 | } 300 | 301 | // do not display a line twice 302 | // problem: different lines in different files with equal line number 303 | if(!isset($lines[$tree->line])) 304 | { 305 | echo 'marker) 307 | { 308 | case 1: echo ' class="userinput"'; break; 309 | case 2: echo ' class="validated"'; break; 310 | case 3: echo ' class="functioninput"'; break; 311 | case 4: echo ' class="persistent"'; break; 312 | } 313 | echo '>',$tree->value,'',"\n"; 314 | // add to array to ignore next time 315 | $lines[$tree->line] = 1; 316 | } 317 | 318 | if($start) echo '
    '; 319 | 320 | return $lines; 321 | } 322 | 323 | // requirements output 324 | function dependenciesTraverse($tree) 325 | { 326 | if(!empty($tree->dependencies)) 327 | { 328 | echo '
    • requires:'; 329 | 330 | foreach ($tree->dependencies as $linenr=>$dependency) 331 | { 332 | if(!empty($dependency)) 333 | { 334 | echo '
      • '.highlightline($dependency, '', $linenr).'
      '; 335 | } 336 | } 337 | 338 | echo '
    ',"\n"; 339 | } 340 | } 341 | 342 | // check for vulns found in file 343 | function fileHasVulns($blocks) 344 | { 345 | foreach($blocks as $block) 346 | { 347 | if($block->vuln) 348 | return true; 349 | } 350 | return false; 351 | } 352 | 353 | // print the scanresult 354 | function printoutput($output, $treestyle=1) 355 | { 356 | if(!empty($output)) 357 | { 358 | $nr=0; 359 | reset($output); 360 | do 361 | { 362 | if(key($output) != "" && !empty($output[key($output)]) && fileHasVulns($output[key($output)])) 363 | { 364 | echo '
    ', 365 | 'File: ',key($output),'
    ', 366 | '

    '; 367 | 368 | foreach($output[key($output)] as $vulnBlock) 369 | { 370 | if($vulnBlock->vuln) 371 | { 372 | $nr++; 373 | echo '
    ', 374 | '
    ',$vulnBlock->category,'
    ', 376 | '
    '; 377 | 378 | if($treestyle == 2) 379 | krsort($vulnBlock->treenodes); 380 | 381 | foreach($vulnBlock->treenodes as $tree) 382 | { 383 | // we do not have a prescan yet so RIPS misses function calls before the actual declaration, so we output vulns in functions without function call too (could have happened earlier) 384 | // if(empty($tree->funcdepend) || $tree->foundcallee ) 385 | { 386 | echo '
    ',"\n", 387 | '
    ',"\n", 388 | '
    '."\n", 392 | '

    ',"\n"; 394 | 395 | if(isset($GLOBALS['scan_functions'][$tree->name])) 396 | { 397 | // help button 398 | echo '
    ',"\n"; 405 | 406 | if(isset($GLOBALS['F_DATABASE'][$tree->name]) 407 | || isset($GLOBALS['F_FILE_AFFECT'][$tree->name]) 408 | || isset($GLOBALS['F_FILE_READ'][$tree->name]) 409 | || isset($GLOBALS['F_LDAP'][$tree->name]) 410 | || isset($GLOBALS['F_XPATH'][$tree->name]) 411 | || isset($GLOBALS['F_POP'][$tree->name]) ) 412 | { 413 | // data leak scan 414 | if(!empty($vulnBlock->dataleakvar)) 415 | { 416 | echo '
    ',"\n"; // line 419 | } else 420 | { 421 | $tree->title .= ' (Blind exploitation)'; 422 | } 423 | } 424 | } 425 | 426 | if(!empty($tree->get) || !empty($tree->post) 427 | || !empty($tree->cookie) || !empty($tree->files) 428 | || !empty($tree->server) ) 429 | { 430 | /*echo '
    ',"\n",*/ 438 | 439 | echo '
    '; 447 | } 448 | // $tree->title 449 | echo '    		',$tree->title,'', 450 | '
    ',"\n"; 451 | 452 | if($treestyle == 1) 453 | traverseBottomUp($tree); 454 | else if($treestyle == 2) 455 | traverseTopDown($tree); 456 | 457 | echo '
    • ',"\n"; 458 | dependenciesTraverse($tree); 459 | echo '
    ',"\n", '
    ',"\n", '
    ',"\n"; 460 | } 461 | } 462 | 463 | if(!empty($vulnBlock->alternatives)) 464 | { 465 | echo '
    • Vulnerability is also triggered in:'; 466 | foreach($vulnBlock->alternatives as $alternative) 467 | { 468 | echo '
      • '.$alternative.'
      '; 469 | } 470 | echo '
    '; 471 | } 472 | 473 | echo '
    ',"\n"; 474 | } 475 | } 476 | 477 | echo '
    ',"\n", 478 | '',"\n", 480 | '
    ',"\n"; 481 | } 482 | else if(count($output) == 1) 483 | { 484 | echo '
    Nothing vulnerable found. Change the verbosity level or vulnerability type and try again.
    '; 485 | } 486 | } 487 | while(next($output)); 488 | } 489 | else if(count($GLOBALS['scanned_files']) > 0) 490 | { 491 | echo '
    Nothing vulnerable found. Change the verbosity level or vulnerability type and try again.
    '; 492 | } 493 | else 494 | { 495 | echo '
    Nothing to scan. Please check your path/file name.
    '; 496 | } 497 | 498 | } 499 | 500 | // build list of available functions 501 | function createFunctionList($user_functions_offset) 502 | { 503 | if(!empty($user_functions_offset)) 504 | { 505 | ksort($user_functions_offset); 506 | if($GLOBALS['file_amount'] <= WARNFILES) 507 | $js = 'graph2 = new Graph(document.getElementById("functioncanvas"));'."\n"; 508 | else 509 | $js = 'canvas = document.getElementById("functioncanvas");ctx = canvas.getContext("2d");ctx.fillStyle="#ff0000";ctx.fillText("Graphs have been disabled for a high file amount (>'.WARNFILES.').", 20, 30);'; 510 | $x=20; 511 | $y=50; 512 | $i=0; 513 | 514 | if($GLOBALS['file_amount'] <= WARNFILES) 515 | { 516 | // create JS graph elements 517 | foreach($user_functions_offset as $func_name => $info) 518 | { 519 | if($func_name !== '__main__') 520 | { 521 | $x = ($i%4==0) ? $x=20 : $x=$x+160; 522 | $y = ($i%4==0) ? $y=$y+70 : $y=$y; 523 | $i++; 524 | 525 | $func_varname = str_replace('::', '', $func_name); 526 | 527 | $js.= "var e$func_varname = graph2.addElement(pageTemplate, { x:$x, y:$y }, '".addslashes($func_name)."( )', '', '".(isset($info[5]) ? $info[5] : 0)."', '".(isset($info[6]) ? $info[6] : 0)."', 0);\n"; 528 | } else 529 | { 530 | $js.='var e__main__ = graph2.addElement(pageTemplate, { x:260, y:20 }, "__main__", "", "'.(isset($info[5]) ? $info[5] : 0).'", "'.(isset($info[6]) ? $info[6] : 0).'", 0);'."\n"; 531 | } 532 | } 533 | } 534 | 535 | echo '
    '; 536 | foreach($user_functions_offset as $func_name => $info) 537 | { 538 | if($func_name !== '__main__') 539 | echo ''; 553 | 554 | if(isset($info[4]) && $GLOBALS['file_amount'] <= WARNFILES) 555 | { 556 | foreach($info[4] as $call) 557 | { 558 | if(!is_array($call)) 559 | { 560 | $color = (isset($info[4][$call])) ? '#F00' : '#000'; 561 | $js.="try{graph2.addConnection(e$call.getConnector(\"links\"), e$func_name.getConnector(\"parents\"), '$color');}catch(e){}\n"; 562 | } 563 | } 564 | } 565 | } 566 | if($GLOBALS['file_amount'] <= WARNFILES) 567 | $js.='graph2.update();'; 568 | echo '
    declarationcalls
    ',$func_name,'
    		'; 542 | 543 | $calls = array(); 544 | if(isset($info[3])) 545 | { 546 | foreach($info[3] as $call) 547 | { 548 | $calls[] = ''.$call[1].''; 550 | } 551 | } 552 | echo implode(',',array_unique($calls)).'
    ',"\n\n"; 569 | } else 570 | { 571 | echo "\n"; 572 | } 573 | } 574 | 575 | // build list of all entry points (user input) 576 | function createUserinputList($user_input) 577 | { 578 | if(!empty($user_input)) 579 | { 580 | ksort($user_input); 581 | echo ''; 582 | foreach($user_input as $input_name => $file) 583 | { 584 | $finds = array(); 585 | foreach($file as $file_name => $lines) 586 | { 587 | foreach($lines as $line) 588 | { 589 | $finds[] = '$line\n"; 590 | } 591 | } 592 | echo "'; 593 | 594 | } 595 | echo '
    type[parameter]taints
    $input_name",implode(',',array_unique($finds)),'
    '; 596 | } else 597 | { 598 | echo 'No userinput found.'; 599 | } 600 | } 601 | 602 | // build list of all scanned files 603 | function createFileList($files, $file_sinks) 604 | { 605 | if(!empty($files)) 606 | { 607 | if($GLOBALS['file_amount'] <= WARNFILES) 608 | $js = 'graph = new Graph(document.getElementById("filecanvas"));'."\n"; 609 | else 610 | $js = 'canvas = document.getElementById("filecanvas");ctx = canvas.getContext("2d");ctx.fillStyle="#ff0000";ctx.fillText("Graphs have been disabled for a high file amount (>'.WARNFILES.').", 20, 30);'; 611 | 612 | // get vuln files 613 | $vulnfiles = array(); 614 | foreach($GLOBALS['output'] as $filename => $blocks) 615 | { 616 | foreach($blocks as $block) 617 | { 618 | if($block->vuln) 619 | { 620 | $vulnfiles[] = $block->treenodes[0]->filename; 621 | } 622 | } 623 | } 624 | 625 | // sort files by "include weight" (main files on top, included files bottom) 626 | $mainfiles = array(); 627 | $incfiles = array(); 628 | foreach($files as $file => $includes) 629 | { 630 | $mainfiles[] = realpath($file); 631 | if(!empty($includes)) 632 | { 633 | foreach($includes as $include) 634 | { 635 | $incfiles[] = realpath($include); 636 | } 637 | } 638 | } 639 | $elements = array_unique(array_merge(array_diff($mainfiles,$incfiles), array('__break__'), $incfiles)); 640 | $x=20; 641 | $y=-50; 642 | $i=0; 643 | $style = 'pageTemplate'; 644 | 645 | // add JS elements 646 | foreach($elements as $file) 647 | { 648 | if($file !== '__break__') 649 | { 650 | $x = ($i%4==0) ? $x=20 : $x=$x+160; 651 | $y = ($i%4==0) ? $y=$y+70 : $y=$y; 652 | $i++; 653 | 654 | // leave space for legend symbols 655 | if($i==3) 656 | $i++; 657 | 658 | $file = realpath($file); 659 | 660 | $filename = is_dir($_POST['loc']) ? str_replace(realpath($_POST['loc']), '', $file) : str_replace(realpath(str_replace(basename($_POST['loc']),'', $_POST['loc'])),'',$file); 661 | $varname = preg_replace('/[^A-Za-z0-9]/', '', $filename); 662 | 663 | $userinput = 0; 664 | foreach($GLOBALS['user_input'] as $inputname) 665 | { 666 | if(isset($inputname[$file])) 667 | $userinput++; 668 | } 669 | 670 | if($GLOBALS['file_amount'] <= WARNFILES) 671 | $js.= "var e$varname = graph.addElement($style, { x:$x, y:$y }, '".htmlentities($filename, ENT_QUOTES)."', '', '".$userinput."', '".htmlentities($file_sinks[$file], ENT_QUOTES)."', ".(in_array($file, $vulnfiles) ? 1 : 0).");\n"; 672 | 673 | } else 674 | { 675 | // add to $i what is missing til new row is created 676 | $i=$i+(4-($i%4)); 677 | $y+=30; 678 | $style = 'scriptTemplate'; 679 | } 680 | } 681 | 682 | // build file list and add connection to includes 683 | echo '
    '; 684 | foreach($files as $file => $includes) 685 | { 686 | $file = realpath($file); 687 | 688 | $filename = is_dir($_POST['loc']) ? str_replace(realpath($_POST['loc']), '', $file) : str_replace(realpath(str_replace(basename($_POST['loc']),'', $_POST['loc'])),'',$file); 689 | $varname = preg_replace('/[^A-Za-z0-9]/', '', $filename); 690 | 691 | if(empty($includes)) 692 | { 693 | echo '',"\n"; 695 | } 696 | else 697 | { 698 | $parent = $varname; 699 | echo '',"\n"; 715 | } 716 | 717 | } 718 | if($GLOBALS['file_amount'] <= WARNFILES) 719 | $js.='graph.update();'; 720 | echo '
    ',htmlentities($filename),'
    ',htmlentities($filename),'
      ',"\n"; 701 | foreach($includes as $include) 702 | { 703 | $include = realpath($include); 704 | 705 | $includename = is_dir($_POST['loc']) ? str_replace(realpath($_POST['loc']), '', $include) : str_replace(realpath(str_replace(basename($_POST['loc']),'', $_POST['loc'])),'',$include); 706 | $incvarname = preg_replace('/[^A-Za-z0-9]/', '', $includename); 707 | 708 | echo '
    • ',htmlentities($includename),'
      • ',"\n"; 710 | 711 | if($GLOBALS['file_amount'] <= WARNFILES) 712 | $js.="try{graph.addConnection(e$incvarname.getConnector(\"links\"), e$parent.getConnector(\"parents\"), '#000');}catch(e){}\n"; 713 | } 714 | echo '
    ',"\n\n"; 721 | } 722 | } 723 | 724 | function statsRow($nr, $name, $amount, $all) 725 | { 726 | echo '',$name,':
    ',$amount,'
    '; 728 | } 729 | 730 | ?> -------------------------------------------------------------------------------- /lib/searcher.php: -------------------------------------------------------------------------------- 1 | . 15 | 16 | **/ 17 | 18 | function searchFile($file_name, $search) 19 | { 20 | $search = str_replace('/', '.', $search); 21 | $lines = file($file_name); 22 | $block = new VulnBlock('Search hits'); 23 | for($i=0; $i'); 30 | $line = highlightline($tokens, '', $i+1, $search); 31 | 32 | $line = preg_replace("/(>[^<]*)(".preg_quote(trim($matches[0]), '/').")/i", "$1$2", $line); 33 | $new_find = new VulnTreeNode($line); 34 | $new_find->filename = $file_name; 35 | $new_find->title = 'Regular expression match'; 36 | $new_find->lines[] = $i+1; 37 | 38 | $block->treenodes[] = $new_find; 39 | $block->vuln = true; 40 | } 41 | } 42 | $id = (isset($GLOBALS['output'][$file_name])) ? count($GLOBALS['output'][$file_name]) : 0; 43 | $GLOBALS['output'][$file_name][$id] = $block; 44 | } 45 | 46 | ?> -------------------------------------------------------------------------------- /lib/tokenizer.php: -------------------------------------------------------------------------------- 1 | . 15 | 16 | **/ 17 | 18 | class Tokenizer 19 | { 20 | public $filename; 21 | public $tokens; 22 | 23 | function __construct($filename) 24 | { 25 | $this->filename = $filename; 26 | } 27 | 28 | // main 29 | public function tokenize($code) 30 | { 31 | $this->tokens = token_get_all($code); 32 | $this->prepare_tokens(); 33 | $this->array_reconstruct_tokens(); 34 | $this->fix_tokens(); 35 | $this->fix_ternary(); 36 | #die(print_r($this->tokens)); 37 | return $this->tokens; 38 | } 39 | 40 | // adds braces around offsets 41 | function wrapbraces($start, $between, $end) 42 | { 43 | $this->tokens = array_merge( 44 | array_slice($this->tokens, 0, $start), array('{'), 45 | array_slice($this->tokens, $start, $between), array('}'), 46 | array_slice($this->tokens, $end) 47 | ); 48 | } 49 | 50 | // delete all tokens to ignore while scanning, mostly whitespaces 51 | function prepare_tokens() 52 | { 53 | // delete whitespaces and other unimportant tokens, rewrite some special tokens 54 | for($i=0, $max=count($this->tokens); $i<$max; $i++) 55 | { 56 | if( is_array($this->tokens[$i]) ) 57 | { 58 | if( in_array($this->tokens[$i][0], Tokens::$T_IGNORE) ) 59 | unset($this->tokens[$i]); 60 | else if( $this->tokens[$i][0] === T_CLOSE_TAG ) 61 | $this->tokens[$i] = ';'; 62 | else if( $this->tokens[$i][0] === T_OPEN_TAG_WITH_ECHO ) 63 | $this->tokens[$i][1] = 'echo'; 64 | } 65 | // @ (depress errors) disturbs connected token handling 66 | else if($this->tokens[$i] === '@') 67 | { 68 | unset($this->tokens[$i]); 69 | } 70 | // rewrite $array{index} to $array[index] 71 | else if( $this->tokens[$i] === '{' 72 | && isset($this->tokens[$i-1]) && ((is_array($this->tokens[$i-1]) && $this->tokens[$i-1][0] === T_VARIABLE) 73 | || $this->tokens[$i-1] === ']') ) 74 | { 75 | $this->tokens[$i] = '['; 76 | $f=1; 77 | while($this->tokens[$i+$f] !== '}') 78 | { 79 | $f++; 80 | if(!isset($this->tokens[$i+$f])) 81 | { 82 | addError('Could not find closing brace of '.$this->tokens[$i-1][1].'{}.', array_slice($this->tokens, $i-1, 2), $this->tokens[$i-1][2], $this->filename); 83 | break; 84 | } 85 | } 86 | $this->tokens[$i+$f] = ']'; 87 | } 88 | } 89 | 90 | // rearranged key index of tokens 91 | $this->tokens = array_values($this->tokens); 92 | } 93 | 94 | // some tokenchains need to be fixed to scan correctly later 95 | function fix_tokens() 96 | { 97 | for($i=0; $i<($max=count($this->tokens)); $i++) 98 | { 99 | // convert `backticks` to backticks() 100 | if( $this->tokens[$i] === '`' ) 101 | { 102 | $f=1; 103 | while( $this->tokens[$i+$f] !== '`' ) 104 | { 105 | // get line_nr of any near token 106 | if( is_array($this->tokens[$i+$f]) ) 107 | $line_nr = $this->tokens[$i+$f][2]; 108 | 109 | $f++; 110 | if(!isset($this->tokens[$i+$f]) || $this->tokens[$i+$f] === ';') 111 | { 112 | addError('Could not find closing backtick `.', array_slice($this->tokens, $i, 5), $this->tokens[$i+1][2], $this->filename); 113 | break; 114 | } 115 | } 116 | if(!empty($line_nr)) 117 | { 118 | $this->tokens[$i+$f] = ')'; 119 | $this->tokens[$i] = array(T_STRING, 'backticks', $line_nr); 120 | 121 | // add element backticks() to array 122 | $this->tokens = array_merge( 123 | array_slice($this->tokens, 0, $i+1), array('('), 124 | array_slice($this->tokens, $i+1) 125 | ); 126 | } 127 | 128 | } 129 | // real token 130 | else if( is_array($this->tokens[$i]) ) 131 | { 132 | // rebuild if-clauses, for(), foreach(), while() without { } 133 | if ( ($this->tokens[$i][0] === T_IF || $this->tokens[$i][0] === T_ELSEIF || $this->tokens[$i][0] === T_FOR 134 | || $this->tokens[$i][0] === T_FOREACH || $this->tokens[$i][0] === T_WHILE) && $this->tokens[$i+1] === '(' ) 135 | { 136 | // skip condition in ( ) 137 | $f=2; 138 | $braceopen = 1; 139 | while($braceopen !== 0 ) 140 | { 141 | if($this->tokens[$i+$f] === '(') 142 | $braceopen++; 143 | else if($this->tokens[$i+$f] === ')') 144 | $braceopen--; 145 | $f++; 146 | 147 | if(!isset($this->tokens[$i+$f])) 148 | { 149 | addError('Could not find closing parenthesis of '.$this->tokens[$i][1].'-statement.', array_slice($this->tokens, $i, 5), $this->tokens[$i][2], $this->filename); 150 | break; 151 | } 152 | } 153 | 154 | // alternate syntax while(): endwhile; 155 | if($this->tokens[$i+$f] === ':') 156 | { 157 | switch($this->tokens[$i][0]) 158 | { 159 | case T_IF: 160 | case T_ELSEIF: $endtoken = T_ENDIF; break; 161 | case T_FOR: $endtoken = T_ENDFOR; break; 162 | case T_FOREACH: $endtoken = T_ENDFOREACH; break; 163 | case T_WHILE: $endtoken = T_ENDWHILE; break; 164 | default: $endtoken = ';'; 165 | } 166 | 167 | $c=1; 168 | while( $this->tokens[$i+$f+$c][0] !== $endtoken) 169 | { 170 | $c++; 171 | if(!isset($this->tokens[$i+$f+$c])) 172 | { 173 | addError('Could not find end'.$this->tokens[$i][1].'; of alternate '.$this->tokens[$i][1].'-statement.', array_slice($this->tokens, $i, $f+1), $this->tokens[$i][2], $this->filename); 174 | break; 175 | } 176 | } 177 | $this->wrapbraces($i+$f+1, $c+1, $i+$f+$c+2); 178 | } 179 | // if body not in { (and not a do ... while();) wrap next instruction in braces 180 | else if($this->tokens[$i+$f] !== '{' && $this->tokens[$i+$f] !== ';') 181 | { 182 | $c=1; 183 | while($this->tokens[$i+$f+$c] !== ';' && $c<$max) 184 | { 185 | $c++; 186 | } 187 | $this->wrapbraces($i+$f, $c+1, $i+$f+$c+1); 188 | } 189 | } 190 | // rebuild else without { } 191 | else if( $this->tokens[$i][0] === T_ELSE 192 | && $this->tokens[$i+1][0] !== T_IF 193 | && $this->tokens[$i+1] !== '{') 194 | { 195 | $f=2; 196 | while( $this->tokens[$i+$f] !== ';' && $f<$max) 197 | { 198 | $f++; 199 | } 200 | $this->wrapbraces($i+1, $f, $i+$f+1); 201 | } 202 | // rebuild switch (): endswitch; 203 | else if( $this->tokens[$i][0] === T_SWITCH && $this->tokens[$i+1] === '(') 204 | { 205 | $newbraceopen = 1; 206 | $c=2; 207 | while( $newbraceopen !== 0 ) 208 | { 209 | // watch function calls in function call 210 | if( $this->tokens[$i + $c] === '(' ) 211 | { 212 | $newbraceopen++; 213 | } 214 | else if( $this->tokens[$i + $c] === ')' ) 215 | { 216 | $newbraceopen--; 217 | } 218 | else if(!isset($this->tokens[$i+$c]) || $this->tokens[$i + $c] === ';') 219 | { 220 | addError('Could not find closing parenthesis of switch-statement.', array_slice($this->tokens, $i, 10), $this->tokens[$i][2], $this->filename); 221 | break; 222 | } 223 | $c++; 224 | } 225 | // switch(): ... endswitch; 226 | if($this->tokens[$i + $c] === ':') 227 | { 228 | $f=1; 229 | while( $this->tokens[$i+$c+$f][0] !== T_ENDSWITCH) 230 | { 231 | $f++; 232 | if(!isset($this->tokens[$i+$c+$f])) 233 | { 234 | addError('Could not find endswitch; of alternate switch-statement.', array_slice($this->tokens, $i, $c+1), $this->tokens[$i][2], $this->filename); 235 | break; 236 | } 237 | } 238 | $this->wrapbraces($i+$c+1, $f+1, $i+$c+$f+2); 239 | } 240 | } 241 | // rebuild switch case: without { } 242 | else if( $this->tokens[$i][0] === T_CASE ) 243 | { 244 | $e=1; 245 | while($this->tokens[$i+$e] !== ':' && $this->tokens[$i+$e] !== ';') 246 | { 247 | $e++; 248 | 249 | if(!isset($this->tokens[$i+$e])) 250 | { 251 | addError('Could not find : or ; after '.$this->tokens[$i][1].'-statement.', array_slice($this->tokens, $i, 5), $this->tokens[$i][2], $this->filename); 252 | break; 253 | } 254 | } 255 | $f=$e+1; 256 | if(($this->tokens[$i+$e] === ':' || $this->tokens[$i+$e] === ';') 257 | && $this->tokens[$i+$f] !== '{' 258 | && $this->tokens[$i+$f][0] !== T_CASE && $this->tokens[$i+$f][0] !== T_DEFAULT) 259 | { 260 | $newbraceopen = 0; 261 | while($newbraceopen || (isset($this->tokens[$i+$f]) && $this->tokens[$i+$f] !== '}' 262 | && !(is_array($this->tokens[$i+$f]) 263 | && ($this->tokens[$i+$f][0] === T_BREAK || $this->tokens[$i+$f][0] === T_CASE 264 | || $this->tokens[$i+$f][0] === T_DEFAULT || $this->tokens[$i+$f][0] === T_ENDSWITCH) ) )) 265 | { 266 | if($this->tokens[$i+$f] === '{') 267 | $newbraceopen++; 268 | else if($this->tokens[$i+$f] === '}') 269 | $newbraceopen--; 270 | $f++; 271 | 272 | if(!isset($this->tokens[$i+$f])) 273 | { 274 | addError('Could not find ending of '.$this->tokens[$i][1].'-statement.', array_slice($this->tokens, $i, $e+5), $this->tokens[$i][2], $this->filename); 275 | break; 276 | } 277 | } 278 | if($this->tokens[$i+$f][0] === T_BREAK) 279 | { 280 | if($this->tokens[$i+$f+1] === ';') 281 | $this->wrapbraces($i+$e+1, $f-$e+1, $i+$f+2); 282 | // break 3; 283 | else 284 | $this->wrapbraces($i+$e+1, $f-$e+2, $i+$f+3); 285 | } 286 | else 287 | { 288 | $this->wrapbraces($i+$e+1, $f-$e-1, $i+$f); 289 | } 290 | $i++; 291 | } 292 | } 293 | // rebuild switch default: without { } 294 | else if( $this->tokens[$i][0] === T_DEFAULT 295 | && $this->tokens[$i+2] !== '{' ) 296 | { 297 | $f=2; 298 | $newbraceopen = 0; 299 | while( $this->tokens[$i+$f] !== ';' && $this->tokens[$i+$f] !== '}' || $newbraceopen ) 300 | { 301 | if($this->tokens[$i+$f] === '{') 302 | $newbraceopen++; 303 | else if($this->tokens[$i+$f] === '}') 304 | $newbraceopen--; 305 | $f++; 306 | 307 | if(!isset($this->tokens[$i+$f])) 308 | { 309 | addError('Could not find ending of '.$this->tokens[$i][1].'-statement.', array_slice($this->tokens, $i, 5), $this->tokens[$i][2], $this->filename); 310 | break; 311 | } 312 | } 313 | $this->wrapbraces($i+2, $f-1, $i+$f+1); 314 | } 315 | // lowercase all function names because PHP doesn't care 316 | else if( $this->tokens[$i][0] === T_FUNCTION ) 317 | { 318 | $this->tokens[$i+1][1] = strtolower($this->tokens[$i+1][1]); 319 | } 320 | else if( $this->tokens[$i][0] === T_STRING && $this->tokens[$i+1] === '(') 321 | { 322 | $this->tokens[$i][1] = strtolower($this->tokens[$i][1]); 323 | } 324 | // switch a do while with a while (the difference in loop rounds doesnt matter 325 | // and we need the condition to be parsed before the loop tokens) 326 | else if( $this->tokens[$i][0] === T_DO ) 327 | { 328 | $f=2; 329 | $otherDOs = 0; 330 | // f = T_WHILE token position relative to i 331 | while( $this->tokens[$i+$f][0] !== T_WHILE || $otherDOs ) 332 | { 333 | if($this->tokens[$i+$f][0] === T_DO) 334 | $otherDOs++; 335 | else if($this->tokens[$i+$f][0] === T_WHILE) 336 | $otherDOs--; 337 | $f++; 338 | 339 | if(!isset($this->tokens[$i+$f])) 340 | { 341 | addError('Could not find WHILE of DO-WHILE-statement.', array_slice($this->tokens, $i, 5), $this->tokens[$i][2], $this->filename); 342 | break; 343 | } 344 | } 345 | 346 | // rebuild do while without {} (should never happen but we want to be sure) 347 | if($this->tokens[$i+1] !== '{') 348 | { 349 | $this->wrapbraces($i+1, $f-1, $i+$f); 350 | // by adding braces we added two new tokens 351 | $f+=2; 352 | } 353 | 354 | $d=1; 355 | // d = END of T_WHILE condition relative to i 356 | while( $this->tokens[$i+$f+$d] !== ';' && $d<$max ) 357 | { 358 | $d++; 359 | } 360 | 361 | // reorder tokens and replace DO WHILE with WHILE 362 | $this->tokens = array_merge( 363 | array_slice($this->tokens, 0, $i), // before DO 364 | array_slice($this->tokens, $i+$f, $d), // WHILE condition 365 | array_slice($this->tokens, $i+1, $f-1), // DO WHILE loop tokens 366 | array_slice($this->tokens, $i+$f+$d+1, count($this->tokens)) // rest of tokens without while condition 367 | ); 368 | } 369 | } 370 | } 371 | // return tokens with rearranged key index 372 | $this->tokens = array_values($this->tokens); 373 | } 374 | 375 | // rewrite $arrays[] to $variables and save keys in $tokens[$i][3] 376 | function array_reconstruct_tokens() 377 | { 378 | for($i=0,$max=count($this->tokens); $i<$max; $i++) 379 | { 380 | // check for arrays 381 | if( is_array($this->tokens[$i]) && $this->tokens[$i][0] === T_VARIABLE && $this->tokens[$i+1] === '[' ) 382 | { 383 | $this->tokens[$i][3] = array(); 384 | $has_more_keys = true; 385 | $index = -1; 386 | $c=2; 387 | 388 | // loop until no more index found: array[1][2][3] 389 | while($has_more_keys && $index < MAX_ARRAY_KEYS) 390 | { 391 | $index++; 392 | // save constant index as constant 393 | if(($this->tokens[$i+$c][0] === T_CONSTANT_ENCAPSED_STRING || $this->tokens[$i+$c][0] === T_LNUMBER || $this->tokens[$i+$c][0] === T_NUM_STRING || $this->tokens[$i+$c][0] === T_STRING) && $this->tokens[$i+$c+1] === ']') 394 | { 395 | unset($this->tokens[$i+$c-1]); 396 | $this->tokens[$i][3][$index] = str_replace(array('"', "'"), '', $this->tokens[$i+$c][1]); 397 | unset($this->tokens[$i+$c]); 398 | unset($this->tokens[$i+$c+1]); 399 | $c+=2; 400 | // save tokens of non-constant index as token-array for backtrace later 401 | } else 402 | { 403 | $this->tokens[$i][3][$index] = array(); 404 | $newbraceopen = 1; 405 | unset($this->tokens[$i+$c-1]); 406 | while($newbraceopen !== 0) 407 | { 408 | if( $this->tokens[$i+$c] === '[' ) 409 | { 410 | $newbraceopen++; 411 | } 412 | else if( $this->tokens[$i+$c] === ']' ) 413 | { 414 | $newbraceopen--; 415 | } 416 | else 417 | { 418 | $this->tokens[$i][3][$index][] = $this->tokens[$i+$c]; 419 | } 420 | unset($this->tokens[$i+$c]); 421 | $c++; 422 | 423 | if(!isset($this->tokens[$i+$c])) 424 | { 425 | addError('Could not find closing bracket of '.$this->tokens[$i][1].'[].', array_slice($this->tokens, $i, 5), $this->tokens[$i][2], $this->filename); 426 | break; 427 | } 428 | } 429 | unset($this->tokens[$i+$c-1]); 430 | } 431 | if($this->tokens[$i+$c] !== '[') 432 | $has_more_keys = false; 433 | $c++; 434 | } 435 | 436 | $i+=$c-1; 437 | } 438 | } 439 | 440 | // return tokens with rearranged key index 441 | $this->tokens = array_values($this->tokens); 442 | } 443 | 444 | // handle ternary operator (remove condition, only values should be handled during trace) 445 | // problem: tainting in the condition is not actual tainting the line -> remove condition 446 | function fix_ternary() 447 | { 448 | for($i=0,$max=count($this->tokens); $i<$max; $i++) 449 | { 450 | if( $this->tokens[$i] === '?' ) 451 | { 452 | unset($this->tokens[$i]); 453 | // condition in brackets: fine, delete condition 454 | if($this->tokens[$i-1] === ')') 455 | { 456 | unset($this->tokens[$i-1]); 457 | // delete tokens till ( 458 | $newbraceopen = 1; 459 | $f = 2; 460 | while( $newbraceopen !== 0 && $this->tokens[$i - $f] !== ';') 461 | { 462 | if( $this->tokens[$i - $f] === '(' ) 463 | { 464 | $newbraceopen--; 465 | } 466 | else if( $this->tokens[$i - $f] === ')' ) 467 | { 468 | $newbraceopen++; 469 | } 470 | unset($this->tokens[$i - $f]); 471 | $f++; 472 | 473 | if(($i-$f)<0) 474 | { 475 | addError('Could not find opening parenthesis in ternary operator (1).', array_slice($this->tokens, $i-5, 10), $this->tokens[$i+1][2], $this->filename); 476 | break; 477 | } 478 | } 479 | 480 | //delete token before, if T_STRING 481 | if($this->tokens[$i-$f] === '!' || (is_array($this->tokens[$i-$f]) 482 | && ($this->tokens[$i-$f][0] === T_STRING || $this->tokens[$i-$f][0] === T_EMPTY || $this->tokens[$i-$f][0] === T_ISSET))) 483 | { 484 | unset($this->tokens[$i-$f]); 485 | } 486 | 487 | } 488 | // condition is a check or assignment 489 | else if(in_array($this->tokens[$i-2][0], Tokens::$T_ASSIGNMENT) || in_array($this->tokens[$i-2][0], Tokens::$T_OPERATOR) ) 490 | { 491 | // remove both operands 492 | unset($this->tokens[$i-1]); 493 | unset($this->tokens[$i-2]); 494 | // if operand is in braces 495 | if($this->tokens[$i-3] === ')') 496 | { 497 | // delete tokens till ( 498 | $newbraceopen = 1; 499 | $f = 4; 500 | while( $newbraceopen !== 0 ) 501 | { 502 | if( $this->tokens[$i - $f] === '(' ) 503 | { 504 | $newbraceopen--; 505 | } 506 | else if( $this->tokens[$i - $f] === ')' ) 507 | { 508 | $newbraceopen++; 509 | } 510 | unset($this->tokens[$i - $f]); 511 | $f++; 512 | 513 | if(($i-$f)<0 || $this->tokens[$i - $f] === ';') 514 | { 515 | addError('Could not find opening parenthesis in ternary operator (2).', array_slice($this->tokens, $i-8, 6), $this->tokens[$i+1][2], $this->filename); 516 | break; 517 | } 518 | } 519 | 520 | //delete token before, if T_STRING 521 | if(is_array($this->tokens[$i-$f]) 522 | && ($this->tokens[$i-$f][0] === T_STRING || $this->tokens[$i-$f][0] === T_EMPTY || $this->tokens[$i-$f][0] === T_ISSET)) 523 | { 524 | unset($this->tokens[$i-$f]); 525 | } 526 | } 527 | 528 | unset($this->tokens[$i-3]); 529 | 530 | } 531 | // condition is a single variable, delete 532 | else if(is_array($this->tokens[$i-1]) && $this->tokens[$i-1][0] === T_VARIABLE) 533 | { 534 | unset($this->tokens[$i-1]); 535 | } 536 | } 537 | } 538 | // return tokens with rearranged key index 539 | $this->tokens = array_values($this->tokens); 540 | } 541 | } 542 | 543 | ?> -------------------------------------------------------------------------------- /main.php: -------------------------------------------------------------------------------- 1 | . 15 | 16 | **/ 17 | 18 | ############################### INCLUDES ################################ 19 | 20 | include('config/general.php'); // general settings 21 | include('config/sources.php'); // tainted variables and functions 22 | include('config/tokens.php'); // tokens for lexical analysis 23 | include('config/securing.php'); // securing functions 24 | include('config/sinks.php'); // sensitive sinks 25 | include('config/info.php'); // interesting functions 26 | 27 | include('lib/constructer.php'); // classes 28 | include('lib/filer.php'); // read files from dirs and subdirs 29 | include('lib/tokenizer.php'); // prepare and fix token list 30 | include('lib/analyzer.php'); // string analyzers 31 | include('lib/scanner.php'); // provides class for scan 32 | include('lib/printer.php'); // output scan result 33 | include('lib/searcher.php'); // search functions 34 | 35 | ############################### MAIN #################################### 36 | 37 | $start = microtime(TRUE); 38 | 39 | $output = array(); 40 | $info = array(); 41 | $scanned_files = array(); 42 | 43 | if(!empty($_POST['loc'])) 44 | { 45 | $location = realpath($_POST['loc']); 46 | 47 | if(is_dir($location)) 48 | { 49 | $scan_subdirs = isset($_POST['subdirs']) ? $_POST['subdirs'] : false; 50 | $files = read_recursiv($location, $scan_subdirs); 51 | 52 | if(count($files) > WARNFILES && !isset($_POST['ignore_warning'])) 53 | die('warning:'.count($files)); 54 | } 55 | else if(is_file($location) && in_array(substr($location, strrpos($location, '.')), $FILETYPES)) 56 | { 57 | $files[0] = $location; 58 | } 59 | else 60 | { 61 | $files = array(); 62 | } 63 | 64 | 65 | // SCAN 66 | if(empty($_POST['search'])) 67 | { 68 | $user_functions = array(); 69 | $user_functions_offset = array(); 70 | $user_input = array(); 71 | 72 | $file_sinks_count = array(); 73 | $count_xss=$count_sqli=$count_fr=$count_fa=$count_fi=$count_exec=$count_code=$count_eval=$count_xpath=$count_ldap=$count_con=$count_other=$count_pop=$count_inc=$count_inc_fail=$count_header=$count_sf=$count_ri=0; 74 | 75 | $verbosity = isset($_POST['verbosity']) ? $_POST['verbosity'] : 1; 76 | $scan_functions = array(); 77 | $info_functions = Info::$F_INTEREST; 78 | 79 | if($verbosity != 5) 80 | { 81 | switch($_POST['vector']) 82 | { 83 | case 'xss': $scan_functions = $F_XSS; break; 84 | case 'httpheader': $scan_functions = $F_HTTP_HEADER; break; 85 | case 'fixation': $scan_functions = $F_SESSION_FIXATION; break; 86 | case 'code': $scan_functions = $F_CODE; break; 87 | case 'ri': $scan_functions = $F_REFLECTION; break; 88 | case 'file_read': $scan_functions = $F_FILE_READ; break; 89 | case 'file_affect': $scan_functions = $F_FILE_AFFECT; break; 90 | case 'file_include':$scan_functions = $F_FILE_INCLUDE; break; 91 | case 'exec': $scan_functions = $F_EXEC; break; 92 | case 'database': $scan_functions = $F_DATABASE; break; 93 | case 'xpath': $scan_functions = $F_XPATH; break; 94 | case 'ldap': $scan_functions = $F_LDAP; break; 95 | case 'connect': $scan_functions = $F_CONNECT; break; 96 | case 'other': $scan_functions = $F_OTHER; break; 97 | case 'unserialize': { 98 | $scan_functions = $F_POP; 99 | $info_functions = Info::$F_INTEREST_POP; 100 | $source_functions = array('unserialize'); 101 | $verbosity = 2; 102 | } 103 | break; 104 | case 'client': 105 | $scan_functions = array_merge( 106 | $F_XSS, 107 | $F_HTTP_HEADER, 108 | $F_SESSION_FIXATION 109 | ); 110 | break; 111 | case 'server': 112 | $scan_functions = array_merge( 113 | $F_CODE, 114 | $F_REFLECTION, 115 | $F_FILE_READ, 116 | $F_FILE_AFFECT, 117 | $F_FILE_INCLUDE, 118 | $F_EXEC, 119 | $F_DATABASE, 120 | $F_XPATH, 121 | $F_LDAP, 122 | $F_CONNECT, 123 | $F_POP, 124 | $F_OTHER 125 | ); break; 126 | case 'all': 127 | default: 128 | $scan_functions = array_merge( 129 | $F_XSS, 130 | $F_HTTP_HEADER, 131 | $F_SESSION_FIXATION, 132 | $F_CODE, 133 | $F_REFLECTION, 134 | $F_FILE_READ, 135 | $F_FILE_AFFECT, 136 | $F_FILE_INCLUDE, 137 | $F_EXEC, 138 | $F_DATABASE, 139 | $F_XPATH, 140 | $F_LDAP, 141 | $F_CONNECT, 142 | $F_POP, 143 | $F_OTHER 144 | ); break; 145 | } 146 | } 147 | 148 | if($_POST['vector'] !== 'unserialize') 149 | { 150 | $source_functions = Sources::$F_OTHER_INPUT; 151 | // add file and database functions as tainting functions 152 | if( $verbosity > 1 && $verbosity < 5 ) 153 | { 154 | $source_functions = array_merge(Sources::$F_OTHER_INPUT, Sources::$F_FILE_INPUT, Sources::$F_DATABASE_INPUT); 155 | } 156 | } 157 | 158 | $overall_time = 0; 159 | $timeleft = 0; 160 | $file_amount = count($files); 161 | for($fit=0; $fit<$file_amount; $fit++) 162 | { 163 | // for scanning display 164 | $thisfile_start = microtime(TRUE); 165 | $file_scanning = $files[$fit]; 166 | 167 | echo ($fit) . '|' . $file_amount . '|' . $file_scanning . '|' . $timeleft . '|' . "\n"; 168 | @ob_flush(); 169 | flush(); 170 | 171 | // scan 172 | $scan = new Scanner($file_scanning, $scan_functions, $info_functions, $source_functions); 173 | $scan->parse(); 174 | $scanned_files[$file_scanning] = $scan->inc_map; 175 | 176 | $overall_time += microtime(TRUE) - $thisfile_start; 177 | // timeleft = average_time_per_file * file_amount_left 178 | $timeleft = round(($overall_time/($fit+1)) * ($file_amount - $fit+1),2); 179 | } 180 | #die("done"); 181 | echo "STATS_DONE.\n"; 182 | @ob_flush(); 183 | flush(); 184 | 185 | } 186 | // SEARCH 187 | else if(!empty($_POST['regex'])) 188 | { 189 | $count_matches = 0; 190 | $verbosity = 0; 191 | foreach($files as $file_name) 192 | { 193 | searchFile($file_name, $_POST['regex']); 194 | } 195 | } 196 | } 197 | 198 | $elapsed = microtime(TRUE) - $start; 199 | 200 | ################################ RESULT ################################# 201 | ?> 202 |
    203 |
    204 |
    205 | 206 | 207 |
    208 | 209 |
    210 |
    211 |
    212 |
    213 |
    214 |
    215 |
    216 |
    217 | 218 |
    ↵ return
    219 |
    220 |
    221 | 222 |
    223 |
    224 |
    225 | 226 |
    227 |
    228 |
    229 |
    230 | 231 |
    232 |
    233 |
    234 | 用户使用的函数 235 |
    236 | 237 |
    238 |
    239 |
    240 | 241 | 242 | 243 | (graph not available in debug mode)'; ?> 244 |
    245 | 248 | 249 | 250 |
    251 |
    252 |
    253 | 254 |
    255 |
    256 |
    257 | 变量使用 258 |
    259 | 260 |
    261 |
    262 | 265 |
    266 |
    267 |
    268 | 269 |
    270 |
    271 |
    272 | 扫描的文件 273 |
    274 | 275 |
    276 |
    277 |
    278 | 279 | 280 | 281 |
    282 | 285 | 286 | 287 |
    288 |
    289 |
    290 | 291 |
    292 |
    293 |
    294 |
    295 | 296 |
    297 | 298 | 299 | 300 | 301 | 302 |
    Result
    303 |
    304 | 305 | 0) 311 | { 312 | if($count_code > 0) 313 | statsRow(1, $NAME_CODE, $count_code, $count_all); 314 | if($count_exec > 0) 315 | statsRow(2, $NAME_EXEC, $count_exec, $count_all); 316 | if($count_con > 0) 317 | statsRow(3, $NAME_CONNECT, $count_con, $count_all); 318 | if($count_fr > 0) 319 | statsRow(4, $NAME_FILE_READ, $count_fr, $count_all); 320 | if($count_fi > 0) 321 | statsRow(5, $NAME_FILE_INCLUDE, $count_fi, $count_all); 322 | if($count_fa > 0) 323 | statsRow(6, $NAME_FILE_AFFECT, $count_fa, $count_all); 324 | if($count_ldap > 0) 325 | statsRow(7, $NAME_LDAP, $count_ldap, $count_all); 326 | if($count_sqli > 0) 327 | statsRow(8, $NAME_DATABASE, $count_sqli, $count_all); 328 | if($count_xpath > 0) 329 | statsRow(9, $NAME_XPATH, $count_xpath, $count_all); 330 | if($count_xss > 0) 331 | statsRow(10, $NAME_XSS, $count_xss, $count_all); 332 | if($count_header > 0) 333 | statsRow(11, $NAME_HTTP_HEADER, $count_header, $count_all); 334 | if($count_sf > 0) 335 | statsRow(12, $NAME_SESSION_FIXATION, $count_sf, $count_all); 336 | if($count_other > 0) 337 | statsRow(13, $NAME_OTHER, $count_other, $count_all); 338 | if($count_ri > 0) 339 | statsRow(14, $NAME_REFLECTION, $count_ri, $count_all); 340 | if($count_pop > 0) 341 | statsRow(15, $NAME_POP, $count_pop, $count_all); 342 | echo ''; 343 | } else 344 | { 345 | echo ''; 346 | } 347 | } else 348 | { 349 | echo ''; 350 | } 351 | 352 | echo '
    共计:',$count_all,'
    这程序太牛逼了,没找到漏洞.
    ',(($count_matches == 0) ? 'No' : $count_matches),' 符合条件的.
    ', 353 | ''; 354 | if(empty($_POST['search'])) 355 | { 356 | echo '', 368 | '', 374 | '', 375 | '', 376 | '', 377 | '
    扫描的文件数:',count($files),'
    成功包含:'; 357 | 358 | if($count_inc > 0) 359 | { 360 | echo ($count_inc_success=$count_inc-$count_inc_fail).'/'.$count_inc, 361 | ' ('.$round_inc_success=round(($count_inc_success/$count_inc)*100,0).'%)'; 362 | } else 363 | { 364 | echo '没有包含.'; 365 | } 366 | 367 | echo '
    发现的链接:',count($scan_functions),''; 369 | if(empty($_POST['search']) && $count_all > 0) 370 | { 371 | echo '
    '; 372 | } 373 | echo '
    用户使用的函数:'.(count($user_functions_offset)-(count($user_functions_offset)>0?1:0)).'
    独特的来源:'.count($user_input).'
    敏感的功能:'.(is_array($file_sinks_count) ? array_sum($file_sinks_count) : 0).'
    '; 378 | 379 | // output info gathering 380 | if( !empty($info) || ($count_inc>0 && $round_inc_success < 75 && !$scan_subdirs && count($files)>1) ) 381 | { 382 | $info = array_unique($info); 383 | echo ''; 384 | foreach($info as $detail) 385 | { 386 | echo ''; 387 | } 388 | if($count_inc>0 && $round_inc_success < 75 && !$scan_subdirs && count($files)>1) 389 | { 390 | echo ''; 391 | } 392 | echo '
    Info:',$detail,'
    Info:你的包含成功率太低勾选子目录可以更好地扫描
    '; 393 | } 394 | 395 | echo '
    来看看RIPS的下个版本吧!RIPS
    代码审计的艺术无处不在!
    '; 396 | } 397 | ?> 398 | 399 | 400 |
    扫描时间:
    401 | 402 |
    403 | 404 | -------------------------------------------------------------------------------- /windows/code.php: -------------------------------------------------------------------------------- 1 | 2 | . 16 | 17 | **/ 18 | 19 | include('../config/general.php'); 20 | 21 | // prepare output to style with CSS 22 | function highlightline($line, $line_nr, $marklines, $in_comment) 23 | { 24 | $tokens = @token_get_all(''); 25 | $output = (in_array($line_nr, $marklines)) ? ''; 97 | return $in_comment; 98 | } 99 | 100 | // print source code and mark lines 101 | 102 | $file = $_GET['file']; 103 | $marklines = explode(',', $_GET['lines']); 104 | $ext = '.'.pathinfo($file, PATHINFO_EXTENSION); 105 | 106 | 107 | if(!empty($file) && is_file($file) && in_array($ext, $FILETYPES)) 108 | { 109 | $lines = file($file); 110 | 111 | // place line numbers in extra table for more elegant copy/paste without line numbers 112 | echo '
    ' : '
    '; 26 | 27 | for($i=0; $i', '', $tokens[$i][1]); 35 | } 36 | if($tokens[$i] === '/' && $tokens[$i-1] === '*') 37 | { 38 | $in_comment = false; 39 | } 40 | 41 | if($i == count($tokens)-1 && $tokens[$i-1][0] !== T_CLOSE_TAG) 42 | $tokens[$i][1] = str_replace('?'.'>', '', $tokens[$i][1]); 43 | 44 | if($in_comment) 45 | { 46 | if($tokens[$i][1] !== '') 47 | { 48 | $trimmed = is_array($tokens[$i]) ? trim($tokens[$i][1]) : trim($tokens[$i]); 49 | $output .= ''; 50 | $output .= empty($trimmed) ? ' ' : htmlentities($trimmed, ENT_QUOTES, 'utf-8'); 51 | $output .= ''; 52 | } 53 | } 54 | else if($tokens[$i] === '/' && $tokens[$i-1] === '*') 55 | $output .= '*/'; 56 | else if (is_string($tokens[$i])) 57 | { 58 | $output .= ''; 59 | $output .= htmlentities(trim($tokens[$i]), ENT_QUOTES, 'utf-8'); 60 | $output .= ''; 61 | } 62 | else if (is_array($tokens[$i]) 63 | && $tokens[$i][0] !== T_OPEN_TAG 64 | && $tokens[$i][0] !== T_CLOSE_TAG) 65 | { 66 | if ($tokens[$i][0] !== T_WHITESPACE) 67 | { 68 | $text = ''; 82 | } 83 | else 84 | { 85 | $text = str_replace(' ', ' ', $tokens[$i][1]); 86 | $text = str_replace("\t", str_repeat(' ', 8), $text); 87 | } 88 | 89 | $output .= $text; 90 | } 91 | } 92 | 93 | if(strstr($line, '*/')) 94 | $in_comment = false; 95 | 96 | echo $output.'
    '; 113 | for($i=1, $max=count($lines); $i<=$max;$i++) 114 | echo "'; 115 | echo '
    $i
    		'; 116 | 117 | $in_comment = false; 118 | for($i=0; $i<$max; $i++) 119 | { 120 | $in_comment = highlightline($lines[$i], $i+1, $marklines, $in_comment); 121 | } 122 | } else 123 | { 124 | echo ''; 125 | } 126 | ?> 127 |
    Invalid file specified.
    128 |
    -------------------------------------------------------------------------------- /windows/exploit.php: -------------------------------------------------------------------------------- 1 | . 15 | 16 | **/ 17 | 18 | if(!empty($_GET['file'])) 19 | { 20 | $file = $_GET['file']; 21 | ?> 22 | 23 |
    24 | 25 |
    26 | #!/usr/bin/php -f
    27 | <?php
    28 | #
    29 | # curl exploit
    30 | #

    31 |
    32 | 33 |
    34 |
    35 |
    36 |
    general settings:
    37 |
    38 |
    39 | 40 |
    41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 |
    URL:
    COOKIEJAR:
    Max Exec Time: (s)
    SSL: BasicAuth:
    59 |
    60 |
    61 | 62 | 70 | 71 |
    72 |
    73 |
    parameter:
    74 | 75 |
    76 |
    77 | 78 |
    79 |
    80 | 81 | \n", 90 | "\t\n", 91 | ''; 92 | } else 93 | { 94 | echo "\n\n"; 95 | } 96 | } 97 | ?> 98 |
    $param:
    You can taint \$_SERVER['$param'] by editing the target URL.
    99 |
    100 |
    101 |
    102 | 114 | 115 |   116 |

    117 |
    118 | 119 | 120 | ?> 121 |
    122 | -------------------------------------------------------------------------------- /windows/function.php: -------------------------------------------------------------------------------- 1 | 2 | . 16 | 17 | **/ 18 | 19 | include('../config/general.php'); 20 | 21 | // prepare output to style with CSS 22 | function highlightline($line, $line_nr) 23 | { 24 | $tokens = @token_get_all(''); 25 | $output = "'; 54 | } 55 | 56 | // print function code 57 | 58 | $file = $_GET['file']; 59 | $start = (int)$_GET['start']; 60 | $end = (int)$_GET['end']; 61 | $ext = '.'.pathinfo($file, PATHINFO_EXTENSION); 62 | 63 | 64 | if(!empty($file) && is_file($file) && in_array($ext, $FILETYPES)) 65 | { 66 | $lines = file($file); 67 | 68 | if( isset($lines[$start]) && isset($lines[$end]) ) 69 | { 70 | for($i=$start; $i<=$end; $i++) 71 | { 72 | echo highlightline($lines[$i], $i); 73 | } 74 | } else 75 | { 76 | echo ''; 77 | } 78 | } else 79 | { 80 | echo ''; 81 | } 82 | ?> 83 |
    $line_nr   "; 26 | 27 | foreach ($tokens as $token) 28 | { 29 | if (is_string($token)) 30 | { 31 | $output .= ''; 32 | $output .= htmlentities($token, ENT_QUOTES, 'utf-8'); 33 | $output .= ''; 34 | } 35 | else if (is_array($token) 36 | && $token[0] !== T_OPEN_TAG 37 | && $token[0] !== T_CLOSE_TAG) 38 | { 39 | if ($token[0] !== T_WHITESPACE) 40 | { 41 | $text = ''; 42 | $text.= htmlentities($token[1], ENT_QUOTES, 'utf-8').''; 43 | } 44 | else 45 | { 46 | $text = str_replace(' ', ' ', $token[1]); 47 | $text = str_replace("\t", str_repeat(' ', 8), $text); 48 | } 49 | 50 | $output .= $text; 51 | } 52 | } 53 | return $output.'
    Sorry, wrong file referenced.
    Sorry, no file referenced.
    -------------------------------------------------------------------------------- /windows/help.php: -------------------------------------------------------------------------------- 1 | . 15 | 16 | **/ 17 | header("Content-type: text/html; charset=utf-8"); 18 | 19 | include '../config/general.php'; 20 | include '../config/securing.php'; 21 | include '../config/sinks.php'; 22 | include '../config/tokens.php'; 23 | include '../config/sources.php'; 24 | include '../config/help.php'; 25 | include '../lib/printer.php'; 26 | 27 | $function = htmlentities($_GET['function'], ENT_QUOTES, 'utf-8'); 28 | $type = htmlentities($_GET['type'], ENT_QUOTES, 'utf-8'); 29 | $type = explode(" (", $type); 30 | $type = $type[0]; 31 | 32 | switch($type) 33 | { 34 | case $NAME_XSS: $HELP = $HELP_XSS; 35 | $FUNCS = $F_SECURING_XSS; 36 | break; 37 | case $NAME_HTTP_HEADER: $HELP = $HELP_HTTP_HEADER; 38 | $FUNCS = array(); 39 | break; 40 | case $NAME_SESSION_FIXATION: $HELP = $HELP_SESSION_FIXATION; 41 | $FUNCS = array(); 42 | break; 43 | case $NAME_CODE: $HELP = $HELP_CODE; 44 | $FUNCS = $F_SECURING_PREG; 45 | break; 46 | case $NAME_REFLECTION: $HELP = $HELP_REFLECTION; 47 | $FUNCS = array(); 48 | break; 49 | case $NAME_FILE_INCLUDE: $HELP = $HELP_FILE_INCLUDE; 50 | $FUNCS = $F_SECURING_FILE; 51 | break; 52 | case $NAME_FILE_READ: $HELP = $HELP_FILE_READ; 53 | $FUNCS = $F_SECURING_FILE; 54 | break; 55 | case $NAME_FILE_AFFECT: $HELP = $HELP_FILE_AFFECT; 56 | $FUNCS = $F_SECURING_FILE; 57 | break; 58 | case $NAME_EXEC: $HELP = $HELP_EXEC; 59 | $FUNCS = $F_SECURING_SYSTEM; 60 | break; 61 | case $NAME_DATABASE: $HELP = $HELP_DATABASE; 62 | $FUNCS = $F_SECURING_SQL; 63 | break; 64 | case $NAME_XPATH: $HELP = $HELP_XPATH; 65 | $FUNCS = $F_SECURING_XPATH; 66 | break; 67 | case $NAME_LDAP: $HELP = $HELP_LDAP; 68 | $FUNCS = $F_SECURING_LDAP; 69 | break; 70 | case $NAME_CONNECT: $HELP = $HELP_CONNECT; 71 | $FUNCS = array(); 72 | break; 73 | case $NAME_POP: $HELP = $HELP_POP; 74 | $FUNCS = array(); 75 | break; 76 | default: 77 | $HELP = array( 78 | 'description' => '没有该漏洞的描述', 79 | 'link' => '', 80 | 'code' => 'Not available.', 81 | 'poc' => 'Not available.' 82 | ); 83 | break; 84 | } 85 | ?> 86 | 87 |
    88 |

    89 |

    漏洞概念:

    90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 116 | 117 | 120 | 121 | 124 | 125 |
    来源有关函数漏洞
    101 |
      102 | $_GET'; 105 | if($_GET['post']) 106 | echo '
    • $_POST
      • ';; 107 | if($_GET['cookie']) 108 | echo '
    • $_COOKIE
      • '; 109 | if($_GET['files']) 110 | echo '
    • $_FILES
      • '; 111 | if($_GET['server']) 112 | echo '
    • $_SERVER
      • '; 113 | ?> 114 |
    115 |

    +

    		 118 | '.$function.'()'; ?> 119 |

    =

    		 122 | 123 |
    126 | 127 |

    漏洞信息描述:

    128 |

    129 |

    here."; ?>

    130 | 131 |

    漏洞代码展示:

    132 |
    133 | 134 |

    验证用的POC

    135 |

    136 | 137 |

    补丁:

    138 |
    139 | 140 |

    相关的安全功能:

    141 |
      142 | '.$func."\n"; 148 | } 149 | } else 150 | { 151 | echo 'None.'; 152 | } 153 | ?> 154 |
    155 |
    -------------------------------------------------------------------------------- /windows/hotpatch.php: -------------------------------------------------------------------------------- 1 | . 15 | 16 | **/ 17 | 18 | if(!empty($_GET['file'])) 19 | { 20 | $file = $_GET['file']; 21 | ?> 22 | 23 |
    24 | 25 | 26 |
    27 | 28 | Create mod_security rule. 29 | 30 | ' 35 | .'' 36 | .'' 37 | .''; 38 | } 39 | 40 | function creatediv($method, $name) 41 | { 42 | if(!empty($method)) 43 | { 44 | $method = htmlentities($method, ENT_QUOTES, 'utf-8'); 45 | ?> 46 | 47 |
    48 |
    49 |
    parameter:
    50 | 51 |
    52 |
    53 | 54 |
    55 |
    56 | 57 | \n", 65 | "\t", 66 | "\n", 67 | ''; 68 | } else 69 | { 70 | echo "\n\n"; 71 | } 72 | } 73 | ?> 74 |
    $param:".getFilterOptions($method.$param)."
    You can taint \$_SERVER['$param'] by editing the target URL.
    75 |
    76 |
    77 |
    78 | 90 | 91 |   92 |

    93 |
    94 | 95 |
    96 | 97 |
    98 | 99 | 106 | 107 |
    -------------------------------------------------------------------------------- /windows/leakscan.php: -------------------------------------------------------------------------------- 1 | . 15 | 16 | **/ 17 | 18 | ############################### INCLUDES ################################ 19 | 20 | include('../config/general.php'); // general settings 21 | include('../config/sources.php'); // tainted variables and functions 22 | include('../config/tokens.php'); // tokens for lexical analysis 23 | include('../config/securing.php'); // securing functions 24 | include('../config/sinks.php'); // sensitive sinks 25 | include('../config/info.php'); // interesting functions 26 | 27 | include('../lib/constructer.php'); // classes 28 | include('../lib/filer.php'); // read files from dirs and subdirs 29 | include('../lib/tokenizer.php'); // prepare and fix token list 30 | include('../lib/analyzer.php'); // string analyzers 31 | include('../lib/scanner.php'); // scan for sinks in token list 32 | include('../lib/printer.php'); // output scan result 33 | include('../lib/searcher.php'); // search functions 34 | 35 | ############################### MAIN #################################### 36 | 37 | $start = microtime(TRUE); 38 | 39 | $output = array(); 40 | $info = array(); 41 | $scanned_files = array(); 42 | 43 | if(!empty($_POST['loc'])) 44 | { 45 | $location = realpath($_POST['loc']); 46 | 47 | if(is_dir($location)) 48 | { 49 | $scan_subdirs = isset($_POST['subdirs']) ? $_POST['subdirs'] : false; 50 | $files = read_recursiv($location, $scan_subdirs); 51 | 52 | if(count($files) > WARNFILES && !isset($_POST['ignore_warning'])) 53 | die('warning:'.count($files)); 54 | } 55 | else if(is_file($location) && in_array(substr($location, strrpos($location, '.')), $FILETYPES)) 56 | { 57 | $files[0] = $location; 58 | } 59 | else 60 | { 61 | $files = array(); 62 | } 63 | 64 | // SCAN 65 | $user_functions = array(); 66 | $user_functions_offset = array(); 67 | $file_sinks_count = array(); 68 | $user_input = array(); 69 | 70 | $count_xss=$count_sqli=$count_fr=$count_fa=$count_fi=$count_exec=$count_code=$count_eval=$count_xpath=$count_ldap=$count_con=$count_other=$count_pop=$count_inc=$count_inc_fail=$count_header=0; 71 | 72 | $verbosity = 3; 73 | 74 | $scan_functions = array_merge($F_XSS, $F_HTTP_HEADER, $F_SESSION_FIXATION); 75 | $F_USERINPUT = array(); 76 | $V_USERINPUT = array($_POST['varname']); 77 | $F_SECURING_XSS = array(); 78 | $_POST['vector'] = 'client'; 79 | 80 | $overall_time = 0; 81 | $timeleft = 0; 82 | $file_amount = count($files); 83 | 84 | for($fit=0; $fit<$file_amount; $fit++) 85 | { 86 | // for scanning display 87 | $thisfile_start = microtime(TRUE); 88 | $file_scanning = $files[$fit]; 89 | 90 | echo ($fit) . '|' . $file_amount . '|' . $file_scanning . '|' . $timeleft . '|' ."\n"; 91 | @ob_flush(); 92 | flush(); 93 | 94 | $scan = new Scanner($file_scanning, $scan_functions, array(), array()); 95 | $scan->parse(); 96 | 97 | $overall_time += microtime(TRUE) - $thisfile_start; 98 | // timeleft = average_time_per_file * file_amount_left 99 | $timeleft = round(($overall_time/($fit+1)) * ($file_amount - $fit+1),2); 100 | } 101 | echo "STATS_DONE.\n"; 102 | @ob_flush(); 103 | flush(); 104 | } 105 | 106 | $elapsed = microtime(TRUE) - $start; 107 | 108 | ################################ RESULT ################################# 109 | 110 | $treestyle = $_POST['treestyle']; 111 | 112 | function checkLeak($tree, $line, $varname) 113 | { 114 | if($tree->children) 115 | { 116 | foreach ($tree->children as $child) 117 | { 118 | // really dirty :( 119 | if(preg_match("/$line:.*markVariable\('$varname/", $child->value)) 120 | return true; 121 | return checkLeak($child, $line, $varname); 122 | } 123 | } 124 | return false; 125 | } 126 | 127 | // check for line leaks found in vulnblock 128 | function lineLeakes($line, $var, $block) 129 | { 130 | foreach($block->treenodes as $tree) 131 | { 132 | if(checkLeak($tree, $line, $var)) 133 | return true; 134 | } 135 | return false; 136 | } 137 | 138 | if(!empty($output)) 139 | { 140 | $nr=0; 141 | reset($output); 142 | do 143 | { 144 | if(key($output) != "" && !empty($output[key($output)]) ) 145 | { 146 | foreach($output[key($output)] as $vulnBlock) 147 | { 148 | if(lineLeakes($_POST['line'], str_replace('$','',$_POST['varname']), $vulnBlock)) 149 | { 150 | $nr++; 151 | echo '
    ', 152 | '
    Data Leak
    ', 154 | '
    '; 155 | 156 | if($treestyle == 2) 157 | krsort($vulnBlock->treenodes); 158 | 159 | foreach($vulnBlock->treenodes as $tree) 160 | { 161 | echo '
    ',"\n", 162 | '
    ',"\n", 163 | '
    '."\n", 167 | '

    ',"\n"; 169 | 170 | echo '    		The return value of the sensitive sink is embedded into the HTML output.', 171 | '
    ',"\n"; 172 | 173 | if($treestyle == 1) 174 | traverseBottomUp($tree); 175 | else if($treestyle == 2) 176 | traverseTopDown($tree); 177 | 178 | echo '
    • ',"\n"; 179 | dependenciesTraverse($tree); 180 | echo '
    ',"\n", '
    ',"\n", '
    ',"\n"; 181 | } 182 | echo '
    ',"\n"; 183 | } 184 | } 185 | 186 | } 187 | } 188 | while(next($output)); 189 | } 190 | ?> --------------------------------------------------------------------------------